Skip to content

Commit

Permalink
Do not allow paths in "archiveFileName" property in package_index.json
Browse files Browse the repository at this point in the history
  • Loading branch information
@cmaglie
cmaglie committed Jul 24, 2020
1 parent 3775f51 commit 651824c
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion arduino/resources/helpers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"os"

"github.com/arduino/go-paths-helper"
"github.com/pkg/errors"
"go.bug.st/downloader/v2"
)

Expand All @@ -30,7 +31,14 @@ func (r *DownloadResource) ArchivePath(downloadDir *paths.Path) (*paths.Path, er
if err := staging.MkdirAll(); err != nil {
return nil, err
}
return staging.Join(r.ArchiveFileName), nil

// Filter out paths from file name
archiveFileName := paths.New(r.ArchiveFileName).Base()
archivePath := staging.Join(archiveFileName).Clean()
if archivePath.IsDir() {
return nil, errors.Errorf("invalid filename or exinsting directory: %s", archivePath)
}
return archivePath, nil
}

// IsCached returns true if the specified DownloadResource has already been downloaded
Expand Down

0 comments on commit 651824c

Please sign in to comment.