Add validation to block absolute paths (#277)

2025-03-12 06:08:22 +01:00 · 2025-01-05 18:06:57 -05:00 · 2025-01-05 18:06:57 -05:00 · 2ff52a8d66
commit 2ff52a8d66
parent 0953e1ccca
2 changed files with 17 additions and 0 deletions
--- a/client/data/data.go
+++ b/client/data/data.go
@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"
 	"time"

 	"github.com/ddworken/hishtory/shared"
@ -160,7 +161,20 @@ func DecryptHistoryEntry(userSecret string, entry shared.EncHistoryEntry) (Histo
 	return decryptedEntry, nil
 }

+func ValidateHishtoryPath() error {
+	hishtoryPath := os.Getenv("HISHTORY_PATH")
+	if strings.HasPrefix(hishtoryPath, "/") {
+		return fmt.Errorf("HISHTORY_PATH must be a relative path")
+	}
+	return nil
+}
+
 func GetHishtoryPath() string {
+	err := ValidateHishtoryPath()
+	if err != nil {
+		// This panic() can only trigger if the env variable is changed after process startup
+		panic(err)
+	}
 	hishtoryPath := os.Getenv("HISHTORY_PATH")
 	if hishtoryPath != "" {
 		return hishtoryPath
--- a/hishtory.go
+++ b/hishtory.go
@ -2,9 +2,12 @@ package main

 import (
 	"github.com/ddworken/hishtory/client/cmd"
+	"github.com/ddworken/hishtory/client/data"
+	"github.com/ddworken/hishtory/client/lib"
 )

 func main() {
+	lib.CheckFatalError(data.ValidateHishtoryPath())
 	cmd.Execute()
 }