pegasus/backend/internal/fs.go

// backend/internal/fs.go
package internal

import (
	"errors"
	"os"
	"path/filepath"
	"strings"
)

var absPath = filepath.Abs

// SafeJoin resolves rel under root and rejects any path that escapes the root.
func SafeJoin(root, rel string) (string, error) {
	rel = strings.TrimPrefix(rel, "/")
	p := filepath.Join(root, rel)
	ap, err := absPath(p)
	if err != nil {
		return "", err
	}
	ar, err := absPath(root)
	if err != nil {
		return "", err
	}
	if !strings.HasPrefix(ap, ar+string(os.PathSeparator)) && ap != ar {
		return "", errors.New("path escapes root")
	}
	return ap, nil
}
many fixes, hopefully uploading 2025-09-16 00:05:16 -05:00			`// backend/internal/fs.go`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`package internal`

			`import (`
			`"errors"`
			`"os"`
			`"path/filepath"`
			`"strings"`
			`)`

pegasus: tighten quality gate 2026-04-11 00:02:59 -03:00			`var absPath = filepath.Abs`

			`// SafeJoin resolves rel under root and rejects any path that escapes the root.`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`func SafeJoin(root, rel string) (string, error) {`
			`rel = strings.TrimPrefix(rel, "/")`
			`p := filepath.Join(root, rel)`
pegasus: tighten quality gate 2026-04-11 00:02:59 -03:00			`ap, err := absPath(p)`
pegasus: add full test suite and prometheus CI publishing 2026-04-10 03:25:23 -03:00			`if err != nil {`
			`return "", err`
			`}`
pegasus: tighten quality gate 2026-04-11 00:02:59 -03:00			`ar, err := absPath(root)`
pegasus: add full test suite and prometheus CI publishing 2026-04-10 03:25:23 -03:00			`if err != nil {`
			`return "", err`
			`}`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`if !strings.HasPrefix(ap, ar+string(os.PathSeparator)) && ap != ar {`
			`return "", errors.New("path escapes root")`
			`}`
			`return ap, nil`
			`}`