From 6e5b14c466e2a0c02037ceb52d0dc2010ea5460f Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Fri, 25 Dec 2020 15:01:43 -0800
Subject: [PATCH] Prevent malicious code from causing a server UUID to be used
 that is not valid

---
 router/router_transfer.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/router/router_transfer.go b/router/router_transfer.go
index 8aa27ed..b0f1a1d 100644
--- a/router/router_transfer.go
+++ b/router/router_transfer.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"github.com/apex/log"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 	"github.com/juju/ratelimit"
 	"github.com/mholt/archiver/v3"
 	"github.com/mitchellh/colorstring"
@@ -288,6 +289,16 @@ func postTransfer(c *gin.Context) {
 		return
 	}
 
+	u, err := uuid.Parse(data.ServerID)
+	if err != nil {
+		WithError(c, err)
+		return
+	}
+	// Force the server ID to be a valid UUID string at this point. If it is not an error
+	// is returned to the caller. This limits injection vulnerabilities that would cause
+	// the str.path() function to return a location not within the server archive directory.
+	data.ServerID = u.String()
+
 	data.log().Info("handling incoming server transfer request")
 	go func(data *serverTransferRequest) {
 		hasError := true