Golang : Perform sanity checks on filename example
Problem:
Your Golang application accepts files uploaded by visitors. However, you want to sanitize the uploaded filenames for security purpose. You want to remove non-standard
characters from a typical filename and also want to have the option to preserve paths. How to do that?
Solution:
This code example below should be able to perform sanity checks on most common uploaded filenames. Enjoy!
package main
import (
"fmt"
"strings"
)
var badCharacters = []string{
"../",
"<!--",
"-->",
"<",
">",
"'",
"\"",
"&",
"$",
"#",
"{", "}", "[", "]", "=",
";", "?", "%20", "%22",
"%3c", // <
"%253c", // <
"%3e", // >
"", // > -- fill in with % 0 e - without spaces in between
"%28", // (
"%29", // )
"%2528", // (
"%26", // &
"%24", // $
"%3f", // ?
"%3b", // ;
"%3d", // =
}
func RemoveBadCharacters(input string, dictionary []string) string {
temp := input
for _, badChar := range dictionary {
temp = strings.Replace(temp, badChar, "", -1)
}
return temp
}
func SanitizeFilename(name string, relativePath bool) string {
// default settings
var badDictionary []string = badCharacters
if name == "" {
return name
}
// if relativePath is TRUE, we preserve the path in the filename
// If FALSE and will cause upper path foldername to merge with filename
// USE WITH CARE!!!
if !relativePath {
// add additional bad characters
badDictionary = append(badCharacters, "./")
badDictionary = append(badDictionary, "/")
}
// trim(remove)white space
trimmed := strings.TrimSpace(name)
// trim(remove) white space in between characters
trimmed = strings.Replace(trimmed, " ", "", -1)
// remove bad characters from filename
trimmed = RemoveBadCharacters(trimmed, badDictionary)
stripped := strings.Replace(trimmed, "\\", "", -1)
return stripped
}
func main() {
fmt.Println("Sanitize filename example")
filename := "../foldername/你的crazy& ! <!-- $#@# fileN@me.z ip "
fmt.Printf("BEFORE : [%v]\n", filename)
fmt.Printf("AFTER(preserve path) : [%v]\n", SanitizeFilename(filename, true))
fmt.Printf("AFTER(without path) : [%v]\n", SanitizeFilename(filename, false))
}
Output:
Sanitize filename example
BEFORE : [../foldername/你的crazy& ! <!-- $#@# fileN@me.z ip ]
AFTER(preserve path) : [foldername/你的crazy!@fileN@me.zip]
AFTER(without path) : [foldername你的crazy!@fileN@me.zip]
References:
https://github.com/bcit-ci/CodeIgniter/blob/develop/system/core/Security.php
https://golang.org/pkg/strings/#Replace
See also : Golang : Upload file from web browser to server
By Adam Ng
IF you gain some knowledge or the information here solved your programming problem. Please consider donating to the less fortunate or some charities that you like. Apart from donation, planting trees, volunteering or reducing your carbon footprint will be great too.
Advertisement
Tutorials
+23.5k Golang : convert rune to integer value
+6.8k Golang : get the current working directory of a running program
+24.8k Golang : Convert(cast) string to uint8 type and back to string
+50.1k Golang : Check if item is in slice/array
+5.2k Javascript : Generate random key with specific length
+5.1k Golang : Convert Chinese UTF8 characters to Pin Yin
+10.1k Golang : Fix fmt.Scanf() on Windows will scan input twice problem
+13.6k Golang : Accurate and reliable decimal calculations
+7.1k Golang : Auto-generate reply email with text/template package
+16.5k Golang : Simple client server example
+13.5k Golang : Find commonalities in two slices or arrays example
+12.4k Golang : Convert spaces to tabs and back to spaces example