Golang : Perform sanity checks on filename example
Problem:
Your Golang application accepts files uploaded by visitors. However, you want to sanitize the uploaded filenames for security purpose. You want to remove non-standard characters from a typical filename and also want to have the option to preserve paths. How to do that?
Solution:
This code example below should be able to perform sanity checks on most common uploaded filenames. Enjoy!
package main
import (
"fmt"
"strings"
)
var badCharacters = []string{
"../",
"<!--",
"-->",
"<",
">",
"'",
"\"",
"&",
"$",
"#",
"{", "}", "[", "]", "=",
";", "?", "%20", "%22",
"%3c", // <
"%253c", // <
"%3e", // >
"", // > -- fill in with % 0 e - without spaces in between
"%28", // (
"%29", // )
"%2528", // (
"%26", // &
"%24", // $
"%3f", // ?
"%3b", // ;
"%3d", // =
}
func RemoveBadCharacters(input string, dictionary []string) string {
temp := input
for _, badChar := range dictionary {
temp = strings.Replace(temp, badChar, "", -1)
}
return temp
}
func SanitizeFilename(name string, relativePath bool) string {
// default settings
var badDictionary []string = badCharacters
if name == "" {
return name
}
// if relativePath is TRUE, we preserve the path in the filename
// If FALSE and will cause upper path foldername to merge with filename
// USE WITH CARE!!!
if !relativePath {
// add additional bad characters
badDictionary = append(badCharacters, "./")
badDictionary = append(badDictionary, "/")
}
// trim(remove)white space
trimmed := strings.TrimSpace(name)
// trim(remove) white space in between characters
trimmed = strings.Replace(trimmed, " ", "", -1)
// remove bad characters from filename
trimmed = RemoveBadCharacters(trimmed, badDictionary)
stripped := strings.Replace(trimmed, "\\", "", -1)
return stripped
}
func main() {
fmt.Println("Sanitize filename example")
filename := "../foldername/你的crazy& ! <!-- $#@# fileN@me.z ip "
fmt.Printf("BEFORE : [%v]\n", filename)
fmt.Printf("AFTER(preserve path) : [%v]\n", SanitizeFilename(filename, true))
fmt.Printf("AFTER(without path) : [%v]\n", SanitizeFilename(filename, false))
}
Output:
Sanitize filename example
BEFORE : [../foldername/你的crazy& ! <!-- $#@# fileN@me.z ip ]
AFTER(preserve path) : [foldername/你的crazy!@fileN@me.zip]
AFTER(without path) : [foldername你的crazy!@fileN@me.zip]
References:
https://github.com/bcit-ci/CodeIgniter/blob/develop/system/core/Security.php
https://golang.org/pkg/strings/#Replace
See also : Golang : Upload file from web browser to server
By Adam Ng
IF you gain some knowledge or the information here solved your programming problem. Please consider donating to the less fortunate or some charities that you like. Apart from donation, planting trees, volunteering or reducing your carbon footprint will be great too.
Advertisement
Tutorials
+22.4k Golang : How to read JPG(JPEG), GIF and PNG files ?
+21.4k Golang : How to read float value from standard input ?
+22.1k Golang : Match strings by wildcard patterns with filepath.Match() function
+48.1k Golang : How to convert JSON string to map and slice
+10.8k Golang : Get UDP client IP address and differentiate clients by port number
+6.9k Mac OSX : Find large files by size
+4.9k Nginx and PageSpeed build from source CentOS example
+8.7k Golang : On lambda, anonymous, inline functions and function literals
+6.8k Unix/Linux : How to fix CentOS yum duplicate glibc or device-mapper-libs dependency error?
+7.4k Golang : Create zip/ePub file without compression(use Store algorithm)
+30.4k Get client IP Address in Go
+4.6k Linux : sudo yum updates not working