fix code scanning warning: uncontrolled data used in path expression.

ossrs · Oct 29, 2024 · d18fa2b · d18fa2b
1 parent d1ffc2a
commit d18fa2b
Showing 1 changed file with 25 additions and 6 deletions.
diff --git a/platform/srs-hooks.go b/platform/srs-hooks.go
@@ -730,15 +730,34 @@ func handleOnHls(ctx context.Context, handler *http.ServeMux) error {
 				return errors.Errorf("invalid action=%v", msg.Action)
 			}
 
-			if _, err := os.Stat(msg.File); err != nil {
-				logger.Tf(ctx, "invalid ts file %v", msg.File)
+			cleanPath := filepath.Clean(msg.File)
 
-				if err := os.MkdirAll(filepath.Dir(msg.File), 0755); err != nil {
-					return errors.Wrapf(err, "failed to create ts file directory %v", filepath.Dir(msg.File))
+			logger.Tf(ctx, "ts file clean path: %v", cleanPath)
+			if filepath.IsAbs(cleanPath) {
+				return errors.Errorf("unsafe path %v", cleanPath)
+			}
+			currentDir, err := os.Getwd()
+			if err != nil {
+				return err
+			}
+			safePath := filepath.Join(currentDir, cleanPath)
+			fileExtension := filepath.Ext(safePath)
+			switch fileExtension {
+			case ".ts", ".mp4", ".m4s":
+				break
+			default:
+				return errors.Errorf("invalid file extension %v", fileExtension)
+			}
+
+			if _, err := os.Stat(safePath); err != nil {
+				logger.Tf(ctx, "invalid ts file %v", safePath)
+
+				if err := os.MkdirAll(filepath.Dir(safePath), 0755); err != nil {
+					return errors.Wrapf(err, "failed to create ts file directory %v", filepath.Dir(safePath))
 				}
 
-				if tsFile, err := os.Create(msg.File); err != nil {
-					return errors.Wrapf(err, "failed to create ts file %v", msg.File)
+				if tsFile, err := os.Create(safePath); err != nil {
+					return errors.Wrapf(err, "failed to create ts file %v", safePath)
 				} else {
 					tsUrl := "http://" + os.Getenv("SRS_HOST") + ":" + os.Getenv("SRS_HTTP_STREAM_PORT") + "/" + msg.URL
 					logger.Tf(ctx, "download ts from %v", tsUrl)