mirror of
https://github.com/mudler/LocalAI.git
synced 2024-12-21 05:33:09 +00:00
01205fd4c0
* Initial implementation of upload files api. * Move sanitize method to utils. * Save uploaded data to uploads folder. * Avoid loop if we do not have a purpose. * Minor cleanup of api and fix bug where deleting duplicate filename cause error. * Revert defer of saving config * Moved creation of directory to startup. * Make file names unique when storing on disk. * Add test for files api. * Update dependencies.
35 lines
924 B
Go
35 lines
924 B
Go
package utils
|
|
|
|
import (
|
|
"fmt"
|
|
"path/filepath"
|
|
"strings"
|
|
)
|
|
|
|
func inTrustedRoot(path string, trustedRoot string) error {
|
|
for path != "/" {
|
|
path = filepath.Dir(path)
|
|
if path == trustedRoot {
|
|
return nil
|
|
}
|
|
}
|
|
return fmt.Errorf("path is outside of trusted root")
|
|
}
|
|
|
|
// VerifyPath verifies that path is based in basePath.
|
|
func VerifyPath(path, basePath string) error {
|
|
c := filepath.Clean(filepath.Join(basePath, path))
|
|
return inTrustedRoot(c, filepath.Clean(basePath))
|
|
}
|
|
|
|
// SanitizeFileName sanitizes the given filename
|
|
func SanitizeFileName(fileName string) string {
|
|
// filepath.Clean to clean the path
|
|
cleanName := filepath.Clean(fileName)
|
|
// filepath.Base to ensure we only get the final element, not any directory path
|
|
baseName := filepath.Base(cleanName)
|
|
// Replace any remaining tricky characters that might have survived cleaning
|
|
safeName := strings.ReplaceAll(baseName, "..", "")
|
|
return safeName
|
|
}
|