Merge pull request #15 from randlabs/updated_deps

mxmauro · web-flow · commit 670751175e87 · 2023-09-25T21:05:56.000-03:00
Updated deps and propagate sanitize url errors
diff --git a/LICENSE b/LICENSE
@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright (C) 2022 RandLabs
+   Copyright (C) 2022-2023 RandLabs
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
diff --git a/go.mod b/go.mod
@@ -4,12 +4,12 @@ go 1.19
 
 require (
 	github.com/fasthttp/router v1.4.20
-	github.com/valyala/fasthttp v1.48.0
+	github.com/valyala/fasthttp v1.50.0
 )
 
 require (
 	github.com/andybalholm/brotli v1.0.5 // indirect
-	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/klauspost/compress v1.17.0 // indirect
 	github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/tcplisten v1.0.0 // indirect
diff --git a/go.sum b/go.sum
@@ -2,14 +2,14 @@ github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/fasthttp/router v1.4.20 h1:yPeNxz5WxZGojzolKqiP15DTXnxZce9Drv577GBrDgU=
 github.com/fasthttp/router v1.4.20/go.mod h1:um867yNQKtERxBm+C+yzgWxjspTiQoA8z86Ec3fK/tc=
-github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
-github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM=
+github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee h1:8Iv5m6xEo1NR1AvpV+7XmhI4r39LGNzwUL4YpMuL5vk=
 github.com/savsgio/gotils v0.0.0-20230208104028-c358bd845dee/go.mod h1:qwtSXrKuJh/zsFQ12yEE89xfCrGKK63Rr7ctU/uCo4g=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.48.0 h1:oJWvHb9BIZToTQS3MuQ2R3bJZiNSa2KiNdeI8A+79Tc=
-github.com/valyala/fasthttp v1.48.0/go.mod h1:k2zXd82h/7UZc3VOdJ2WaUqt1uZ/XpXAfE9i+HBC3lA=
+github.com/valyala/fasthttp v1.50.0 h1:H7fweIlBm0rXLs2q0XbalvJ6r0CUPFWK3/bB4N13e9M=
+github.com/valyala/fasthttp v1.50.0/go.mod h1:k2zXd82h/7UZc3VOdJ2WaUqt1uZ/XpXAfE9i+HBC3lA=
 github.com/valyala/tcplisten v1.0.0 h1:rBHj/Xf+E1tRGZyWIWwJDiRY0zc1Js+CV5DqwacVSA8=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
diff --git a/middleware/trailingslash.go b/middleware/trailingslash.go
@@ -44,7 +44,14 @@ func NewTrailingSlash(opts TrailingSlashOptions) webserver.MiddlewareFunc {
 				}
 			}
 			if modified {
-				uri.SetPath(util.SanitizeUrlPath(path))
+				var err error
+
+				path, err = util.SanitizeUrlPath(path)
+				if err != nil {
+					req.Error(err.Error(), 400)
+					return nil
+				}
+				uri.SetPath(path)
 
 				// Redirect
 				if opts.RedirectCode != 0 {
diff --git a/util/uri.go b/util/uri.go
@@ -1,15 +1,16 @@
 package util
 
 import (
+	"errors"
 	"strings"
 )
 
 // -----------------------------------------------------------------------------
 
-func SanitizeUrlPath(path string) string {
+func SanitizeUrlPath(path string) (string, error) {
 	// Nothing to sanitize?
 	if len(path) == 0 {
-		return "/"
+		return "/", nil
 	}
 
 	// Convert backslashes
@@ -28,6 +29,8 @@ func SanitizeUrlPath(path string) string {
 			} else {
 				if len(newPathFragments) > 0 {
 					newPathFragments = newPathFragments[0 : len(newPathFragments)-1]
+				} else {
+					return "", errors.New("invalid path")
 				}
 			}
 		}
@@ -40,5 +43,5 @@ func SanitizeUrlPath(path string) string {
 	}
 
 	// Done
-	return path
+	return path, nil
 }
diff --git a/webserver.go b/webserver.go
@@ -370,13 +370,18 @@ func (srv *Server) CustomMethod(method string, path string, handler HandlerFunc,
 
 // ServeFiles adds custom filesystem handler for the specified route
 func (srv *Server) ServeFiles(path string, opts ServerFilesOptions, middlewares ...MiddlewareFunc) error {
+	var err error
+
 	// Check some options
 	if !filepath.IsAbs(opts.RootDirectory) {
 		return errors.New("absolute path must be provided")
 	}
 
 	// Normalize path
-	path = util.SanitizeUrlPath(path + "/" + serveFilesSuffix)
+	path, err = util.SanitizeUrlPath(path + "/" + serveFilesSuffix)
+	if err != nil {
+		return err
+	}
 
 	indexNames := make([]string, 0)
 	if !opts.DisableDefaultIndexPages {

Original file line number	Diff line number	Diff line change
`@@ -1,15 +1,16 @@`
`1`	`1`	`package util`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "errors"`
`4`	`5`	`"strings"`
`5`	`6`	`)`
`6`	`7`
`7`	`8`	`// -----------------------------------------------------------------------------`
`8`	`9`
`9`		`-func SanitizeUrlPath(path string) string {`
	`10`	`+func SanitizeUrlPath(path string) (string, error) {`
`10`	`11`	`// Nothing to sanitize?`
`11`	`12`	`if len(path) == 0 {`
`12`		`- return "/"`
	`13`	`+ return "/", nil`
`13`	`14`	`}`
`14`	`15`
`15`	`16`	`// Convert backslashes`
`@@ -28,6 +29,8 @@ func SanitizeUrlPath(path string) string {`
`28`	`29`	`} else {`
`29`	`30`	`if len(newPathFragments) > 0 {`
`30`	`31`	`newPathFragments = newPathFragments[0 : len(newPathFragments)-1]`
	`32`	`+ } else {`
	`33`	`+ return "", errors.New("invalid path")`
`31`	`34`	`}`
`32`	`35`	`}`
`33`	`36`	`}`
`@@ -40,5 +43,5 @@ func SanitizeUrlPath(path string) string {`
`40`	`43`	`}`
`41`	`44`
`42`	`45`	`// Done`
`43`		`- return path`
	`46`	`+ return path, nil`
`44`	`47`	`}`