package utils import ( "fmt" "path/filepath" "strings" ) func inTrustedRoot(path string, trustedRoot string) error { for path != "/" { path = filepath.Dir(path) if path == trustedRoot { return nil } } return fmt.Errorf("path is outside of trusted root") } // VerifyPath verifies that path is based in basePath. func VerifyPath(path, basePath string) error { c := filepath.Clean(filepath.Join(basePath, path)) return inTrustedRoot(c, filepath.Clean(basePath)) } // SanitizeFileName sanitizes the given filename func SanitizeFileName(fileName string) string { // filepath.Clean to clean the path cleanName := filepath.Clean(fileName) // filepath.Base to ensure we only get the final element, not any directory path baseName := filepath.Base(cleanName) // Replace any remaining tricky characters that might have survived cleaning safeName := strings.ReplaceAll(baseName, "..", "") return safeName }