Sanitizing path input in api requests

Author: rxtur

BlogEngine/BlogEngine.Core/Data/FileManagerRepository.cs

@@ -18,6 +18,8 @@ public IEnumerable<FileInstance> Find(int take = 10, int skip = 0, string path =
             var rwr = Utils.RelativeWebRoot;
             var responsePath = "root";
 
+            path = path.SanitizePath();
+
             if(string.IsNullOrEmpty(path))
                 path = Blog.CurrentInstance.StorageLocation + Utils.FilesFolder;
 

BlogEngine/BlogEngine.Core/Extensions.cs

@@ -92,5 +92,27 @@ public static bool TryParse<T>(this string theString, out T output)
 
             return success;
         }
+
+        /// <summary>
+        /// Sanitize path by removing invalid characters. Valid path should look similar to "path/to/sub/folder"
+        /// </summary>
+        /// <param name="str">String to sanitize</param>
+        /// <param name="root">Optionally validate datastore root</param>
+        /// <returns>String out</returns>
+        public static string SanitizePath(this string str, string root = "")
+        {
+            if (str.Contains(".."))
+                return "";
+
+            if (str.StartsWith("~/") && !string.IsNullOrEmpty(root) && !str.StartsWith(root))
+                return "";
+
+            str = str.Replace(".", "").Replace("\\", "").Replace("%2F", "");
+
+            if (str.Contains("//"))
+                return "";
+
+            return str;
+        }
     }
 }

BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs

@@ -29,6 +29,10 @@ public HttpResponseMessage Post(string action, string dirPath = "")
             fileName = fileName.Replace("image.jpg", DateTime.Now.ToString("yyyyMMddHHmmssfff") + ".jpg");
             fileName = fileName.Replace("image.png", DateTime.Now.ToString("yyyyMMddHHmmssfff") + ".png");
 
+            var root = Blog.CurrentInstance.StorageLocation + Utils.FilesFolder;
+
+            dirPath = dirPath.SanitizePath(root);
+            
             if (!string.IsNullOrEmpty(dirPath))
                 dirName = dirPath;