Fix CodeQL check

Signed-off-by: Maia Iyer <[email protected]>
spiffe · Sep 30, 2024 · 09aeeff · 09aeeff
1 parent 681f68c
commit 09aeeff
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/api/agent/server.go b/api/agent/server.go
@@ -144,20 +144,18 @@ type spaHandler struct {
 // file located at the index path on the SPA handler will be served. This
 // is suitable behavior for serving an SPA (single page application).
 func (h spaHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+  relPath := r.URL.Path
 	// get the absolute path to prevent directory traversal
-	path, err := filepath.Abs(r.URL.Path)
-	if err != nil {
+	absPath, err := filepath.Abs(filepath.Join(h.staticPath, relPath))
+	if err != nil || !strings.HasPrefix(absPath, h.staticPath) {
 		// if we failed to get the absolute path respond with a 400 bad request
 		// and stop
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
 
-	// prepend the path with the path to the static directory
-	path = filepath.Join(h.staticPath, path)
-
 	// check whether a file exists at the given path
-	_, err = os.Stat(path)
+	_, err = os.Stat(absPath)
 	if os.IsNotExist(err) {
 		// file does not exist, serve index.html
 		http.ServeFile(w, r, filepath.Join(h.staticPath, h.indexPath))