fix uuid

Signed-off-by: Thomas Miceli <tho.miceli@gmail.com>

internal/web/handlers/gist/create.go

@@ -70,7 +70,10 @@ func ProcessCreate(ctx *context.Context) error {
 	fileFilenames := dto.UploadedFilesNames
 	if len(fileUUIDs) == len(fileFilenames) {
 		for i, fileUUID := range fileUUIDs {
-			filePath := filepath.Join(filepath.Join(config.GetHomeDir(), "uploads"), fileUUID)
+			if !uuidRegex.MatchString(filepath.Base(fileUUID)) {
+				continue
+			}
+			filePath := filepath.Join(config.GetHomeDir(), "uploads", fileUUID)
 
 			if _, err := os.Stat(filePath); err != nil {
 				continue

internal/web/handlers/gist/upload.go

@@ -4,12 +4,15 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"regexp"
 
 	"github.com/google/uuid"
 	"github.com/thomiceli/opengist/internal/config"
 	"github.com/thomiceli/opengist/internal/web/context"
 )
 
+var uuidRegex = regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`)
+
 func Upload(ctx *context.Context) error {
 	err := ctx.Request().ParseMultipartForm(32 << 20) // 32 MB max
 	if err != nil {
@@ -57,13 +60,13 @@ func Upload(ctx *context.Context) error {
 }
 
 func DeleteUpload(ctx *context.Context) error {
-	uuid := ctx.Param("uuid")
+	fileUuid := filepath.Base(ctx.Param("uuid"))
-	if uuid == "" {
+
+	if fileUuid == "" || !uuidRegex.MatchString(fileUuid) {
 		return ctx.ErrorRes(400, ctx.Tr("error.bad-request"), nil)
 	}
 
-	uploadsDir := filepath.Join(config.GetHomeDir(), "uploads")
+	filePath := filepath.Join(config.GetHomeDir(), "uploads", fileUuid)
-	filePath := filepath.Join(uploadsDir, uuid)
 
 	if _, err := os.Stat(filePath); err == nil {
 		if err := os.Remove(filePath); err != nil {