adding additional checks

Author: Mzack9999

internal/runner/options.go

@@ -40,7 +40,11 @@ func ParseOptions() *Options {
 	flag.BoolVar(&options.EnableTCP, "tcp", false, "TCP Server")
 	flag.BoolVar(&options.TCPWithTLS, "tls", false, "Enable TCP TLS")
 	flag.StringVar(&options.RulesFile, "rules", "", "Rules yaml file")
-	flag.StringVar(&options.Folder, "path", ".", "Folder")
+	currentPath := "."
+	if p, err := os.Getwd(); err == nil {
+		currentPath = p
+	}
+	flag.StringVar(&options.Folder, "path", currentPath, "Folder")
 	flag.BoolVar(&options.EnableUpload, "upload", false, "Enable upload via PUT")
 	flag.BoolVar(&options.HTTPS, "https", false, "HTTPS")
 	flag.StringVar(&options.TLSCertificate, "cert", "", "HTTPS Certificate")

pkg/httpserver/loglayer.go

@@ -68,7 +68,7 @@ func (t *HTTPServer) loglayer(handler http.Handler) http.Handler {
 				w.WriteHeader(http.StatusInternalServerError)
 				return
 			}
-			err = handleUpload(path.Base(r.URL.Path), data)
+			err = handleUpload(t.options.Folder, path.Base(r.URL.Path), data)
 			if err != nil {
 				gologger.Print().Msgf("%s\n", err)
 				w.WriteHeader(http.StatusInternalServerError)

pkg/httpserver/uploadlayer.go

@@ -1,7 +1,23 @@
 package httpserver
 
-import "io/ioutil"
+import (
+	"errors"
+	"io/ioutil"
+	"path/filepath"
+	"strings"
+)
+
+func handleUpload(base, file string, data []byte) error {
+	// rejects all paths containing a non exhaustive list of invalid characters - This is only a best effort as the tool is meant for development
+	if strings.ContainsAny(file, "\\`\"':") {
+		return errors.New("invalid character")
+	}
+
+	// allow upload only in subfolders
+	rel, err := filepath.Rel(base, file)
+	if rel == "" || err != nil {
+		return err
+	}
 
-func handleUpload(file string, data []byte) error {
 	return ioutil.WriteFile(file, data, 0655)
 }