prevent more filenames

src/utils/utils.go

@@ -572,6 +572,7 @@ func UnzipDirectory(destination string, source string) error {
 // ValidFileName checks if a filename is valid
 // by making sure it has no invisible characters
 func ValidFileName(fname string) (err error) {
+	// make sure it doesn't contain unicode or invisible characters
 	for _, r := range fname {
 		if !unicode.IsGraphic(r) {
 			err = fmt.Errorf("non-graphical unicode: %x U+%d in '%s'", string(r), r, fname)
@@ -582,5 +583,20 @@ func ValidFileName(fname string) (err error) {
 			return
 		}
 	}
+	// make sure basename does not include ".." or path separators
+	_, basename := filepath.Split(fname)
+	if strings.Contains(basename, "..") {
+		err = fmt.Errorf("basename cannot contain '..': '%s'", basename)
+		return
+	}
+	if strings.Contains(basename, string(os.PathSeparator)) {
+		err = fmt.Errorf("basename cannot contain path separators: '%s'", basename)
+		return
+	}
+	// make sure the filename is not an absolute path
+	if filepath.IsAbs(fname) {
+		err = fmt.Errorf("filename cannot be an absolute path: '%s'", fname)
+		return
+	}
 	return
 }

src/utils/utils_test.go

@@ -261,4 +261,6 @@ func TestValidFileName(t *testing.T) {
 	err := ValidFileName("D中文.cslouglas​")
 	assert.NotNil(t, err)
 	assert.Equal(t, "non-graphical unicode: e2808b U+8203 in 'D中文.cslouglas​'", err.Error())
+	assert.NotNil(t, ValidFileName("hi..txt"))
+	assert.NotNil(t, ValidFileName("/hi/something.txt"))
 }