api: Explicit checks

Signed-off-by: Max Asnaashari <[email protected]>
canonical · Sep 4, 2024 · af2bc7d · af2bc7d
1 parent 3f6fed5
commit af2bc7d
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/api/services_tokens.go b/api/services_tokens.go
@@ -70,6 +70,15 @@ func serviceTokensPost(s *state.State, r *http.Request) response.Response {
 		return response.SmartError(err)
 	}
 
+	if strings.Contains(req.JoinerName, "/") || strings.Contains(req.JoinerName, "\\") || strings.Contains(req.JoinerName, "..") {
+		return response.SmartError(err)
+	}
+
+	_, err = filepath.Abs(req.JoinerName)
+	if err != nil {
+		return response.SmartError(err)
+	}
+
 	_ = os.MkdirAll(req.JoinerName, 0700)
 
 	sh, err := service.NewHandler(s.Name(), req.ClusterAddress, s.OS.StateDir, false, false, types.ServiceType(serviceType))