fix: Gosec/sec fixes (#2004)

* Customization of the initialization file * fix: G601 (CWE-118): Implicit memory aliasing in for loop * fix: G304 (CWE-22): Potential file inclusion via variable * fix: G110 (CWE-409): Potential DoS vulnerability via decompression bomb
2025-07-03 12:30:19 +08:00 · 2023-06-21 13:55:20 +03:00
parent d505a4bf2d
commit 6ebca6dbe7
11 changed files with 25 additions and 9 deletions
--- a/routers/static_filter.go
+++ b/routers/static_filter.go
@ -19,6 +19,7 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"

@ -72,7 +73,7 @@ func StaticFilter(ctx *context.Context) {
 }

 func serveFileWithReplace(w http.ResponseWriter, r *http.Request, name string, old string, new string) {
-	f, err := os.Open(name)
+	f, err := os.Open(filepath.Clean(name))
 	if err != nil {
 		panic(err)
 	}