From 4456e0d0a38b79d2ea66d87857ad758f210ca5e2 Mon Sep 17 00:00:00 2001
From: NotAShelf <raf@notashelf.dev>
Date: Sat, 8 Feb 2025 16:52:39 +0300
Subject: [PATCH] validate image paths

---
 main.go | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/main.go b/main.go
index d13bb93..2bfaad8 100644
--- a/main.go
+++ b/main.go
@@ -9,6 +9,7 @@ import (
 	"math/rand"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strconv"
 	"time"
 
@@ -108,7 +109,21 @@ func idHandler(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "Invalid id", http.StatusBadRequest)
 		return
 	}
-	http.ServeFile(w, r, "images/"+images[i])
+
+	imagePath := "images/" + images[i]
+	if !isValidImagePath(imagePath) {
+		http.Error(w, "Invalid image path", http.StatusBadRequest)
+		return
+	}
+
+	http.ServeFile(w, r, imagePath)
+}
+
+func isValidImagePath(path string) bool {
+	if !filepath.HasPrefix(path, "images/") {
+		return false
+	}
+	return true
 }
 
 func listHandler(w http.ResponseWriter, r *http.Request) {