http_static: sanitize path before file read

Romove dot segments from requested target path before start reading file in file handler to prevent path traversal. Type: fix Change-Id: I3bdd3e9d7fffd33c9c8c608169c1dc73423b7078 Signed-off-by: Matus Fabian <matfabia@cisco.com>
author: Matus Fabian <matfabia@cisco.com> 2024-05-28 13:39:13 +0200
committer: Florin Coras <florin.coras@gmail.com> 2024-05-28 20:42:30 +0000
commit: 5409d330020b19ab909838e734e29ab71c36a14f (patch)
tree: d290fd755a494827be0bc3f31cbdb3887939cb0e /extras/hs-test/utils.go
parent: a93c85a5793852b6edda20bc1100fa9fabd0eb29 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/extras/hs-test/utils.go b/extras/hs-test/utils.go
index 304dd4c241b..d250dc64519 100644
--- a/extras/hs-test/utils.go
+++ b/extras/hs-test/utils.go
@@ -3,8 +3,10 @@ package main
 import (
 	"fmt"
 	"io"
+	"net/http"
 	"os"
 	"strings"
+	"time"
 )
 
 const networkTopologyDir string = "topo-network/"
@@ -78,3 +80,17 @@ func (s *Stanza) saveToFile(fileName string) error {
 	_, err = io.Copy(fo, strings.NewReader(s.content))
 	return err
 }
+
+// newHttpClient creates [http.Client] with disabled proxy and redirects, it also sets timeout to 30seconds.
+func newHttpClient() *http.Client {
+	transport := http.DefaultTransport
+	transport.(*http.Transport).Proxy = nil
+	transport.(*http.Transport).DisableKeepAlives = true
+	client := &http.Client{
+		Transport: transport,
+		Timeout:   time.Second * 30,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		}}
+	return client
+}
author	Matus Fabian <matfabia@cisco.com>	2024-05-28 13:39:13 +0200
committer	Florin Coras <florin.coras@gmail.com>	2024-05-28 20:42:30 +0000
commit	5409d330020b19ab909838e734e29ab71c36a14f (patch)
tree	d290fd755a494827be0bc3f31cbdb3887939cb0e /extras/hs-test/utils.go
parent	a93c85a5793852b6edda20bc1100fa9fabd0eb29 (diff)