From c2b3d19a5101d4a849ae2425a1cf5564a8b0ab94 Mon Sep 17 00:00:00 2001
From: naiba <hi@nai.ba>
Date: Thu, 28 Nov 2024 20:26:51 +0800
Subject: [PATCH] Fix code scanning alert no. 23: Uncontrolled data used in
 path expression (#486)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 cmd/dashboard/controller/controller.go | 29 +++++++++++++++++++-------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/cmd/dashboard/controller/controller.go b/cmd/dashboard/controller/controller.go
index 48f555f..9421b91 100644
--- a/cmd/dashboard/controller/controller.go
+++ b/cmd/dashboard/controller/controller.go
@@ -213,20 +213,33 @@ func fallbackToFrontend(c *gin.Context) {
 		c.JSON(http.StatusOK, newErrorResponse(errors.New("404 Not Found")))
 		return
 	}
+	const safeDirAdmin = "./admin-dist"
+	const safeDirUser = "user-dist"
+
 	if strings.HasPrefix(c.Request.URL.Path, "/dashboard") {
 		stripPath := strings.TrimPrefix(c.Request.URL.Path, "/dashboard")
-		localFilePath := filepath.Join("./admin-dist", stripPath)
-		if _, err := os.Stat(localFilePath); err == nil {
-			c.File(localFilePath)
+		localFilePath := filepath.Join(safeDirAdmin, stripPath)
+		absPath, err := filepath.Abs(localFilePath)
+		if err != nil || !strings.HasPrefix(absPath, safeDirAdmin) {
+			c.JSON(http.StatusBadRequest, newErrorResponse(errors.New("Invalid file path")))
 			return
 		}
-		c.File("admin-dist/index.html")
+		if _, err := os.Stat(absPath); err == nil {
+			c.File(absPath)
+			return
+		}
+		c.File(filepath.Join(safeDirAdmin, "index.html"))
 		return
 	}
-	localFilePath := filepath.Join("user-dist", c.Request.URL.Path)
-	if _, err := os.Stat(localFilePath); err == nil {
-		c.File(localFilePath)
+	localFilePath := filepath.Join(safeDirUser, c.Request.URL.Path)
+	absPath, err := filepath.Abs(localFilePath)
+	if err != nil || !strings.HasPrefix(absPath, safeDirUser) {
+		c.JSON(http.StatusBadRequest, newErrorResponse(errors.New("Invalid file path")))
 		return
 	}
-	c.File("user-dist/index.html")
+	if _, err := os.Stat(absPath); err == nil {
+		c.File(absPath)
+		return
+	}
+	c.File(filepath.Join(safeDirUser, "index.html"))
 }