Mercurial > gemma
diff pkg/models/common.go @ 5377:d19fdf3d2099 extented-report
Add a string type that allows only runes that are safe of directory traversal.
| author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
|---|---|
| date | Thu, 24 Jun 2021 22:13:48 +0200 |
| parents | 4847ac70103a |
| children | 1222b777f51f |
line wrap: on
line diff
--- a/pkg/models/common.go Thu Jun 24 19:24:21 2021 +0200 +++ b/pkg/models/common.go Thu Jun 24 22:13:48 2021 +0200 @@ -18,6 +18,7 @@ "encoding/json" "errors" "fmt" + "regexp" "strings" "time" @@ -40,6 +41,9 @@ Country string // UniqueCountries is a list of unique countries. UniqueCountries []Country + + // SafePath should only contain chars that directory traversal safe. + SafePath string ) func (d Date) MarshalJSON() ([]byte, error) { @@ -149,3 +153,25 @@ } return b.String() } + +const SafePathExp = "[a-zA-Z0-9_-]+" + +var safePathRegExp = regexp.MustCompile("^" + SafePathExp + "$") + +func (sp SafePath) Valid() bool { + return safePathRegExp.MatchString(string(sp)) +} + +// UnmarshalJSON ensures that the given string only consist +// of runes that are directory traversal safe. +func (sp *SafePath) UnmarshalJSON(data []byte) error { + var s string + if err := json.Unmarshal(data, &s); err != nil { + return err + } + if c := SafePath(s); c.Valid() { + *sp = c + return nil + } + return fmt.Errorf("'%s' is not a safe path", s) +}