From a14355ac81934fa30bfc2747b8e0fe167c5aaedf Mon Sep 17 00:00:00 2001
From: Stephen Seo <seo.disparate@gmail.com>
Date: Sun, 3 Nov 2024 17:54:55 +0900
Subject: [PATCH] Fix potential invalid path when fetching static

---
 src/main.c   |  2 ++
 src/static.c | 16 ++++++++++++++++
 src/static.h |  6 +++++-
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/main.c b/src/main.c
index 3beaefe..edeb6f0 100644
--- a/src/main.c
+++ b/src/main.c
@@ -452,6 +452,8 @@ int main(int argc, char **argv) {
             response_code = C_SIMPLE_HTTP_Response_400_Bad_Request;
           } else if (file_info.result == STATIC_FILE_RESULT_404NotFound) {
             response_code = C_SIMPLE_HTTP_Response_404_Not_Found;
+          } else if (file_info.result == STATIC_FILE_RESULT_InvalidPath) {
+            response_code = C_SIMPLE_HTTP_Response_400_Bad_Request;
           } else {
             response_code = C_SIMPLE_HTTP_Response_500_Internal_Server_Error;
           }
diff --git a/src/static.c b/src/static.c
index 18c9e92..2414fba 100644
--- a/src/static.c
+++ b/src/static.c
@@ -120,6 +120,9 @@ C_SIMPLE_HTTP_StaticFileInfo c_simple_http_get_file(
   } else if (!ignore_mime_type && !c_simple_http_is_xdg_mime_available()) {
     file_info.result = STATIC_FILE_RESULT_NoXDGMimeAvailable;
     return file_info;
+  } else if (c_simple_http_static_validate_path(path) != 0) {
+    file_info.result = STATIC_FILE_RESULT_InvalidPath;
+    return file_info;
   }
 
   uint64_t buf_size = 128;
@@ -298,4 +301,17 @@ C_SIMPLE_HTTP_StaticFileInfo c_simple_http_get_file(
   return file_info;
 }
 
+int c_simple_http_static_validate_path(const char *path) {
+  uint64_t length = strlen(path);
+  for (uint64_t idx = 0; idx <= length && path[idx] != 0; ++idx) {
+    if (length - idx >= 2) {
+      if (path[idx] == '.' && path[idx + 1] == '.') {
+        // Contains "..", invalid.
+        return 1;
+      }
+    }
+  }
+  return 0;
+}
+
 // vim: et ts=2 sts=2 sw=2
diff --git a/src/static.h b/src/static.h
index 98deed8..d36b1bc 100644
--- a/src/static.h
+++ b/src/static.h
@@ -26,7 +26,8 @@ typedef enum C_SIMPLE_HTTP_StaticFileResult {
   STATIC_FILE_RESULT_InvalidParameter,
   STATIC_FILE_RESULT_NoXDGMimeAvailable,
   STATIC_FILE_RESULT_InternalError,
-  STATIC_FILE_RESULT_404NotFound
+  STATIC_FILE_RESULT_404NotFound,
+  STATIC_FILE_RESULT_InvalidPath
 } C_SIMPLE_HTTP_StaticFileResult;
 
 typedef struct C_SIMPLE_HTTP_StaticFileInfo {
@@ -47,6 +48,9 @@ void c_simple_http_cleanup_static_file_info(
 C_SIMPLE_HTTP_StaticFileInfo c_simple_http_get_file(
   const char *static_dir, const char *path, int_fast8_t ignore_mime_type);
 
+/// Returns zero if OK.
+int c_simple_http_static_validate_path(const char *path);
+
 #endif
 
 // vim: et ts=2 sts=2 sw=2