pkg/tool: improve SanitizePath (#5558)

gogs.go

@@ -16,7 +16,7 @@ import (
 	"github.com/gogs/gogs/pkg/setting"
 )
 
-const APP_VER = "0.11.81.1217"
+const APP_VER = "0.11.82.1218"
 
 func init() {
 	setting.AppVer = APP_VER

pkg/tool/path.go

@@ -17,5 +17,7 @@ func IsSameSiteURLPath(url string) bool {
 
 // SanitizePath sanitizes user-defined file paths to prevent remote code execution.
 func SanitizePath(path string) string {
-	return strings.TrimLeft(path, "./")
+	path = strings.TrimLeft(path, "/")
+	path = strings.Replace(path, "../", "", -1)
+	return path
 }

pkg/tool/path_test.go

@@ -38,6 +38,7 @@ func Test_SanitizePath(t *testing.T) {
 			expect string
 		}{
 			{"../../../../../../../../../data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"},
+			{"data/gogs/../../../../../../../../../data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"},
 
 			{"data/sessions/a/9/a9f0ab6c3ef63dd8", "data/sessions/a/9/a9f0ab6c3ef63dd8"},
 		}

templates/.VERSION

@@ -1 +1 @@
-0.11.81.1217
+0.11.82.1218