| 147 | } |
| 148 | |
| 149 | func createNewFile(fileFullName string) (*os.File, error) { |
| 150 | protectedPaths := []string{"/etc", "/bin", "/dev", "/usr/bin", "/sbin", "/usr/sbin"} |
| 151 | fileFullName = filepath.Clean(fileFullName) |
| 152 | |
| 153 | // Check if path starts with any protected directory |
| 154 | for _, protectedPath := range protectedPaths { |
| 155 | if strings.HasPrefix(fileFullName, protectedPath+"/") || fileFullName == protectedPath { |
| 156 | return nil, fmt.Errorf("access denied: cannot write to protected system directory %s", protectedPath) |
| 157 | } |
| 158 | } |
| 159 | |
| 160 | // Reject any path containing traversal sequences upfront |
| 161 | if strings.Contains(fileFullName, "..") { |
| 162 | return nil, fmt.Errorf("path traversal detected in file path: %s", fileFullName) |
| 163 | } |
| 164 | // Reject paths that resolve to current directory or empty |
| 165 | if fileFullName == "." || fileFullName == "" { |
| 166 | return nil, fmt.Errorf("please provide the full file path. The provided path [%s] is not valid", fileFullName) |
| 167 | } |
| 168 | |
| 169 | if FileExists(fileFullName) { |
| 170 | if err := os.Remove(fileFullName); err != nil { |
| 171 | return nil, fmt.Errorf("file is unable to be deleted: %w", err) |
| 172 | } |
| 173 | } |
| 174 | |
| 175 | file, err := Create(fileFullName) |
| 176 | if err != nil { |
| 177 | return nil, fmt.Errorf("file is already created: %w", err) |
| 178 | } |
| 179 | return file, nil |
| 180 | } |
| 181 | |
| 182 | func extractZipFiles(reader io.Reader, dest string) error { |
| 183 | body, err := io.ReadAll(reader) |