From f00c810326182015c76541b15fac422805edcad0 Mon Sep 17 00:00:00 2001 From: dadav <33197631+dadav@users.noreply.github.com> Date: Fri, 8 Mar 2024 21:09:02 +0100 Subject: [PATCH] fix: Check filename --- internal/v3/api/release.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/internal/v3/api/release.go b/internal/v3/api/release.go index 040f8b8..05cd4ee 100644 --- a/internal/v3/api/release.go +++ b/internal/v3/api/release.go @@ -94,14 +94,27 @@ func ReleaseToModule(releaseSlug string) string { return releaseSlug[:strings.LastIndex(releaseSlug, "-")] } +type GetFile400Response struct { + Message string `json:"message,omitempty"` + + Errors []string `json:"errors,omitempty"` +} + // GetFile - Download module release func (s *ReleaseOperationsApi) GetFile(ctx context.Context, filename string) (gen.ImplResponse, error) { + if !utils.CheckReleaseSlug(strings.TrimSuffix(filename, ".tar.gz")) { + return gen.Response(400, gen.GetFile400Response{ + Message: http.StatusText(http.StatusNotFound), + Errors: []string{"release slug is invalid"}, + }), nil + } + f, err := os.Open(filepath.Join(config.ModulesDir, ReleaseToModule(filename), filename)) if err != nil { if os.IsNotExist(err) { return gen.Response(http.StatusNotFound, gen.GetFile404Response{ Message: http.StatusText(http.StatusNotFound), - Errors: []string{"The file does not exist."}, + Errors: []string{"the file does not exist"}, }), nil } }