Fix: potential vulnerability in http provider (#2680)

2023-04-16 20:14:36 +08:00
parent 8e05fbfd6d
commit df61a586c9
2 changed files with 20 additions and 1 deletions
--- a/constant/path.go
+++ b/constant/path.go
@ -4,6 +4,7 @@ import (
 	"os"
 	P "path"
 	"path/filepath"
+	"strings"
 )

 const Name = "clash"
@ -51,6 +52,18 @@ func (p *path) Resolve(path string) string {
 	return path
 }

+// IsSubPath return true if path is a subpath of homedir
+func (p *path) IsSubPath(path string) bool {
+	homedir := p.HomeDir()
+	path = p.Resolve(path)
+	rel, err := filepath.Rel(homedir, path)
+	if err != nil {
+		return false
+	}
+
+	return !strings.Contains(rel, "..")
+}
+
 func (p *path) MMDB() string {
 	return P.Join(p.homeDir, "Country.mmdb")
 }