fix multipart file sanitization

s-mang · s-mang · commit 26c116b76b45 · 2022-12-05T17:38:43.000-07:00
diff --git a/doc/body.go b/doc/body.go
@@ -1,6 +1,7 @@
 package doc
 
 import (
+	"bytes"
 	"regexp"
 	"strings"
 	"text/template"
@@ -14,8 +15,8 @@ var (
 `
 )
 
-var multipartBoundaryREStr = "^([-]+[a-zA-Z0-9]+)\nContent-Disposition.*"
-var multipartFileREStr = "(Content-Disposition: .*filename=.*\n?(?:Content-Type: .*))\n\n"
+var multipartBoundaryREStr = "multipart/form-data; boundary=([-]*[a-zA-Z0-9]+)"
+var multipartFileREStr = "(Content-Disposition: .*filename=.*\n?(?:Content-Type: .*)?)"
 
 var multipartBoundaryRE, multipartFileRE *regexp.Regexp
 
@@ -66,21 +67,21 @@ func (b *Body) FormattedJSON() string {
 }
 
 func (b *Body) SanitizedMultipartForm() string {
-	bodyStr := string(b.Content)
-	matches := multipartBoundaryRE.FindStringSubmatch(bodyStr)
+	matches := multipartBoundaryRE.FindStringSubmatch(b.ContentType)
 	if len(matches) < 2 {
 		// Fail, just return full body
 		return string(b.Content)
 	}
 	boundary := matches[1]
-	parts := strings.Split(bodyStr, boundary+"\n")
+	parts := bytes.Split(b.Content, []byte(boundary))
 
 	for i, p := range parts {
-		fileMatches := multipartFileRE.FindStringSubmatch(p)
+		fileMatches := multipartFileRE.FindSubmatch(p)
 		if len(fileMatches) > 0 {
-			parts[i] = fileMatches[0] + "<FILE DATA>\n\n"
+			parts[i] = append([]byte("\n"), fileMatches[0]...)
+			parts[i] = append(parts[i], []byte("\n\n<FILE DATA>\n\n")...)
 		}
 	}
 
-	return strings.Join(parts, boundary+"\n") + boundary + "--"
+	return string(bytes.Join(parts, []byte(boundary)))
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package doc`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "bytes"`
`4`	`5`	`"regexp"`
`5`	`6`	`"strings"`
`6`	`7`	`"text/template"`
`@@ -14,8 +15,8 @@ var (`
`14`	`15`	`
`15`	`16`	`)`
`16`	`17`
`17`		`-var multipartBoundaryREStr = "^([-]+[a-zA-Z0-9]+)\nContent-Disposition.*"`
`18`		`-var multipartFileREStr = "(Content-Disposition: .filename=.\n?(?:Content-Type: .*))\n\n"`
	`18`	`+var multipartBoundaryREStr = "multipart/form-data; boundary=([-]*[a-zA-Z0-9]+)"`
	`19`	`+var multipartFileREStr = "(Content-Disposition: .filename=.\n?(?:Content-Type: .*)?)"`
`19`	`20`
`20`	`21`	`var multipartBoundaryRE, multipartFileRE *regexp.Regexp`
`21`	`22`
`@@ -66,21 +67,21 @@ func (b *Body) FormattedJSON() string {`
`66`	`67`	`}`
`67`	`68`
`68`	`69`	`func (b *Body) SanitizedMultipartForm() string {`
`69`		`- bodyStr := string(b.Content)`
`70`		`- matches := multipartBoundaryRE.FindStringSubmatch(bodyStr)`
	`70`	`+ matches := multipartBoundaryRE.FindStringSubmatch(b.ContentType)`
`71`	`71`	`if len(matches) < 2 {`
`72`	`72`	`// Fail, just return full body`
`73`	`73`	`return string(b.Content)`
`74`	`74`	`}`
`75`	`75`	`boundary := matches[1]`
`76`		`- parts := strings.Split(bodyStr, boundary+"\n")`
	`76`	`+ parts := bytes.Split(b.Content, []byte(boundary))`
`77`	`77`
`78`	`78`	`for i, p := range parts {`
`79`		`- fileMatches := multipartFileRE.FindStringSubmatch(p)`
	`79`	`+ fileMatches := multipartFileRE.FindSubmatch(p)`
`80`	`80`	`if len(fileMatches) > 0 {`
`81`		`- parts[i] = fileMatches[0] + "<FILE DATA>\n\n"`
	`81`	`+ parts[i] = append([]byte("\n"), fileMatches[0]...)`
	`82`	`+ parts[i] = append(parts[i], []byte("\n\n<FILE DATA>\n\n")...)`
`82`	`83`	`}`
`83`	`84`	`}`
`84`	`85`
`85`		`- return strings.Join(parts, boundary+"\n") + boundary + "--"`
	`86`	`+ return string(bytes.Join(parts, []byte(boundary)))`
`86`	`87`	`}`