Documentation ¶
Index ¶
- Variables
- func CreateTempDir(baseDir string) (string, error)
- func Inbound(candidate, baseDir string) bool
- func IsSymlink(fi os.FileInfo) bool
- func RelativePath(fullPath, basePath string) (string, error)
- func SecureMkdirAll(root, unsafePath string, mode os.FileMode) (string, error)
- func Tgz(srcPath string, inclusions []string, exclusions []string, writers ...io.Writer) (int, error)
- func Untgz(dstPath string, r io.Reader, maxSize int64, preserveFileMode bool) error
Constants ¶
This section is empty.
Variables ¶
var RelativeOutOfBoundErr = errors.New("full path does not contain base path")
Functions ¶
func CreateTempDir ¶
CreateTempDir will create a temporary directory in baseDir with CSPRNG entropy in the name to avoid clashes and mitigate directory traversal. If baseDir is empty string, os.TempDir() will be used. It is the caller's responsibility to remove the directory after use. Will return the full path of the generated directory.
func Inbound ¶
Inbound will validate if the given candidate path is inside the baseDir. This is useful to make sure that malicious candidates are not targeting a file outside of baseDir boundaries. Considerations: - baseDir must be absolute path. Will return false otherwise - candidate can be absolute or relative path - candidate should not be symlink as only syntatic validation is applied by this function
func IsSymlink ¶
IsSymlink return true if the given FileInfo relates to a symlink file. Returns false otherwise.
func RelativePath ¶
RelativePath will remove the basePath string from the fullPath including the path separator. Differently from filepath.Rel, this function will return error (RelativeOutOfBoundErr) if basePath does not match (example 2).
Example 1:
fullPath: /home/test/app/readme.md basePath: /home/test return: app/readme.md
Example 2:
fullPath: /home/test/app/readme.md basePath: /somewhere/else return: "", RelativeOutOfBoundErr
Example 3:
fullPath: /home/test/app/readme.md basePath: /home/test/app/readme.md return: .
func SecureMkdirAll ¶
SecureMkdirAll creates a directory with the given mode and returns the full path to the directory. It prevents directory traversal attacks by ensuring the path is within the root directory. The path is constructed as if the given root is the root of the filesystem. So anything traversing outside the root is simply removed from the path.
func Tgz ¶
func Tgz(srcPath string, inclusions []string, exclusions []string, writers ...io.Writer) (int, error)
Tgz will iterate over all files found in srcPath compressing them with gzip and archiving with Tar. Will invoke every given writer while generating the tgz. This is useful to generate checksums. Will exclude files matching the exclusions list blob if exclusions is not nil. Will include only the files matching the inclusions list if inclusions is not nil.
Types ¶
This section is empty.