extern/hishtory
1
0
Fork 0
mirror of https://github.com/ddworken/hishtory.git synced 2025-06-24 05:51:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add validation to block absolute paths (#277)

Browse Source
This commit is contained in:
David Dworken 2025-01-05 18:06:57 -05:00 committed by GitHub
parent 0953e1ccca
commit 2ff52a8d66
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
client/data/data.go
View File

@ -12,6 +12,7 @@ import (
"fmt" "fmt"
"io" "io"
"os" "os"
"strings"
"time" "time"
"github.com/ddworken/hishtory/shared" "github.com/ddworken/hishtory/shared"
@ -160,7 +161,20 @@ func DecryptHistoryEntry(userSecret string, entry shared.EncHistoryEntry) (Histo
return decryptedEntry, nil return decryptedEntry, nil
} }
func ValidateHishtoryPath() error {
hishtoryPath := os.Getenv("HISHTORY_PATH")
if strings.HasPrefix(hishtoryPath, "/") {
return fmt.Errorf("HISHTORY_PATH must be a relative path")
}
return nil
}
func GetHishtoryPath() string { func GetHishtoryPath() string {
err := ValidateHishtoryPath()
if err != nil {
// This panic() can only trigger if the env variable is changed after process startup
panic(err)
}
hishtoryPath := os.Getenv("HISHTORY_PATH") hishtoryPath := os.Getenv("HISHTORY_PATH")
if hishtoryPath != "" { if hishtoryPath != "" {
return hishtoryPath return hishtoryPath

3
hishtory.go
View File

@ -2,9 +2,12 @@ package main
import ( import (
"github.com/ddworken/hishtory/client/cmd" "github.com/ddworken/hishtory/client/cmd"
"github.com/ddworken/hishtory/client/data"
"github.com/ddworken/hishtory/client/lib"
) )
func main() { func main() {
lib.CheckFatalError(data.ValidateHishtoryPath())
cmd.Execute() cmd.Execute()
} }