fix code scanning warning: uncontrolled data used in path expression.

ossrs · Oct 29, 2024 · bd1ade4 · bd1ade4
1 parent d1ffc2a
commit bd1ade4
Showing 1 changed file with 19 additions and 6 deletions.
diff --git a/platform/srs-hooks.go b/platform/srs-hooks.go
@@ -730,15 +730,28 @@ func handleOnHls(ctx context.Context, handler *http.ServeMux) error {
 				return errors.Errorf("invalid action=%v", msg.Action)
 			}
 
-			if _, err := os.Stat(msg.File); err != nil {
-				logger.Tf(ctx, "invalid ts file %v", msg.File)
+			path, err := filepath.Abs(filepath.Clean(msg.File))
+			if err != nil {
+				return errors.Errorf("invalid file path %v", msg.File)
+			}
+			logger.Tf(ctx, "ts file path: %v", path)
+			fileExtension := filepath.Ext(path)
+			switch fileExtension {
+			case ".ts", ".mp4", ".m4s":
+				break
+			default:
+				return errors.Errorf("invalid file extension %v", fileExtension)
+			}
+
+			if _, err := os.Stat(path); err != nil {
+				logger.Tf(ctx, "invalid ts file %v", path)
 
-				if err := os.MkdirAll(filepath.Dir(msg.File), 0755); err != nil {
-					return errors.Wrapf(err, "failed to create ts file directory %v", filepath.Dir(msg.File))
+				if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+					return errors.Wrapf(err, "failed to create ts file directory %v", filepath.Dir(path))
 				}
 
-				if tsFile, err := os.Create(msg.File); err != nil {
-					return errors.Wrapf(err, "failed to create ts file %v", msg.File)
+				if tsFile, err := os.Create(path); err != nil {
+					return errors.Wrapf(err, "failed to create ts file %v", path)
 				} else {
 					tsUrl := "http://" + os.Getenv("SRS_HOST") + ":" + os.Getenv("SRS_HTTP_STREAM_PORT") + "/" + msg.URL
 					logger.Tf(ctx, "download ts from %v", tsUrl)