Implemented getting file from mounted directories (with security considerations) and fixed some error messages in auth

PythonHacker24 · PythonHacker24 · commit 293758c54dec · 2025-05-23T18:37:17.000+05:30
diff --git a/internal/auth/handler.go b/internal/auth/handler.go
@@ -55,10 +55,10 @@ func LoginHandler(w http.ResponseWriter, r *http.Request) {
 	response := map[string]string{"token": token}
 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(response); err != nil {
-		zap.L().Error("Failed to encode response",
+		zap.L().Error("Failed to encode response for login request",
 			zap.Error(err),
 		)
-		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		http.Error(w, "Failed to encode response for login request", http.StatusInternalServerError)
 		return
 	}
 }
diff --git a/internal/traversal/handler.go b/internal/traversal/handler.go
@@ -1,3 +1,55 @@
 package traversal
 
+import (
+	"encoding/json"
+	"net/http"
 
+	"go.uber.org/zap"
+	"github.com/PythonHacker24/linux-acl-management-backend/internal/auth"
+)
+
+/*
+	user considers / to be the root of the file path
+	the backend transalates / to basepath/ securely
+	this translation needs to be done wherever necessary
+*/
+
+/* POST handler for listing files in given directory */
+func ListFilesInDirectory(w http.ResponseWriter, r *http.Request) {
+
+	/* extracting userID from request */
+	userID, err := auth.ExtractUsernameFromRequest(r)
+	if err != nil {
+		zap.L().Error("Error during getting username in HandleListFiles handler",
+			zap.Error(err),
+		)
+		return
+	}
+	
+	/* check if the request body is valid */
+	var listRequest ListRequest  
+	err = json.NewDecoder(r.Body).Decode(&listRequest)
+	if err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	/* list all the files in given filepath */
+	entries, err := ListFiles(listRequest.FilePath, userID)
+	if err != nil {
+		zap.L().Warn("File listing error",
+			zap.Error(err),
+		)
+		http.Error(w, "Failed to list files", http.StatusInternalServerError)	
+	}
+
+	/* send the response back */
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(entries); err != nil {
+		zap.L().Error("Failed to encode response for listing request",
+			zap.Error(err),
+		)
+		http.Error(w, "Failed to encode response for listing request", http.StatusInternalServerError)
+		return
+	}
+}
diff --git a/internal/traversal/model.go b/internal/traversal/model.go
@@ -7,7 +7,12 @@ package traversal
 type FileEntry struct {
     Name      string `json:"name"`
     Path      string `json:"path"`
-    IsDir     bool   `json:"isDir"`
+    IsDir     bool   `json:"is_dir"`
     Size      int64  `json:"size"`
-    ModTime   int64  `json:"modTime"`
+    ModTime   int64  `json:"mod_time"`
+}
+
+/* request for listing files in a given directory path */
+type ListRequest struct {
+	FilePath 	string `json:"file_path"`
 }
diff --git a/internal/traversal/traversal.go b/internal/traversal/traversal.go
@@ -1,15 +1,33 @@
 package traversal
 
 import (
+	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
+	"strings"
+
+	"github.com/PythonHacker24/linux-acl-management-backend/config"
+	"go.uber.org/zap"
 )
 
+/* list files in a given directory with some basic information */
 func ListFiles(path string, userID string) ([]FileEntry, error) {
     var entries []FileEntry
 
-	/* list all the files in the given directory */
-    files, err := os.ReadDir(path)
+	/* combine basePath with the requested path */
+    fullPath := filepath.Join(config.BackendConfig.AppInfo.BasePath, path)
+
+    /* clean the path to prevent directory traversal */
+    fullPath = filepath.Clean(fullPath)
+    
+    /* ensure the resulting path is still within the basePath (prevent directory traversal) */
+    if !strings.HasPrefix(fullPath, filepath.Clean(config.BackendConfig.AppInfo.BasePath)) {
+        return nil, fmt.Errorf("Path traversal attempt detected: %s", path)
+    }
+    
+    /* list all the files in the given directory */
+    files, err := os.ReadDir(fullPath)
     if err != nil {
         return nil, err
     }
@@ -19,8 +37,12 @@ func ListFiles(path string, userID string) ([]FileEntry, error) {
         fullPath := filepath.Join(path, f.Name())
 
         /* check ACL access first */
-        hasAccess := checkACLAccess(fullPath, userID)
-        if !hasAccess {
+        isOwner, err := isOwner(fullPath, userID)
+		if err != nil {
+			return nil, fmt.Errorf("error during listing files: %w", err)
+		}
+
+        if !isOwner {
 			/* if the user doesn't have right ACL permissions for the file, skip it */
             continue
         }
@@ -43,3 +65,61 @@ func ListFiles(path string, userID string) ([]FileEntry, error) {
 
     return entries, nil
 }
+
+/* 
+	checks if the user is the owner of the file 
+	username is the LDAP CN for the user
+	uses getfacl to fetch the permissions (usually from filesystems mounted from remote servers)
+*/
+func isOwner(filePath string, userCN string) (bool, error) {
+
+    cleanPath := filepath.Clean(filePath)
+    
+    /* additional validation to ensure that the path doesn't contain dangerous characters */
+    if strings.Contains(cleanPath, ";") || strings.Contains(cleanPath, "|") || 
+       strings.Contains(cleanPath, "&") || strings.Contains(cleanPath, "`") ||
+       strings.Contains(cleanPath, "$") || strings.Contains(cleanPath, "(") ||
+       strings.Contains(cleanPath, ")") {
+		zap.L().Warn("Illegal method attempted while getting file path by injecting dangerous character in the file path!")
+    	return false, fmt.Errorf("invalid characters in file path: %s", cleanPath)
+    }
+    
+    /* get the file's ACL using getfacl with properly escaped arguments */
+    cmd := exec.Command("getfacl", "--", cleanPath)
+    output, err := cmd.Output()
+    if err != nil {
+        return false, fmt.Errorf("failed to execute getfacl on %s: %v", cleanPath, err)
+    }
+
+    /* parse the getfacl output to check ownership */
+    lines := strings.Split(string(output), "\n")
+    for _, line := range lines {
+        line = strings.TrimSpace(line)
+        
+        /* check for owner line (format: "# owner: username") */
+        if strings.HasPrefix(line, "# owner:") {
+            owner := strings.TrimSpace(strings.TrimPrefix(line, "# owner:"))
+
+            /* compare with the provided CN (case-insensitive) */
+            if strings.EqualFold(owner, userCN) {
+                return true, nil
+            }
+        }
+        
+        /* also check user ACL entries (format: "user:username:permissions") */
+        if strings.HasPrefix(line, "user:") && !strings.HasPrefix(line, "user::") {
+            parts := strings.Split(line, ":")
+            if len(parts) >= 3 {
+                aclUser := parts[1]
+                permissions := parts[2]
+                
+				/* check if this user has write permissions (indicating ownership-like access) */
+                if strings.EqualFold(aclUser, userCN) && strings.Contains(permissions, "w") {
+                    return true, nil
+                }
+            }
+        }
+    }
+    
+    return false, nil
+}

Original file line number	Diff line number	Diff line change
`@@ -55,10 +55,10 @@ func LoginHandler(w http.ResponseWriter, r *http.Request) {`
`55`	`55`	`response := map[string]string{"token": token}`
`56`	`56`	`w.Header().Set("Content-Type", "application/json")`
`57`	`57`	`if err := json.NewEncoder(w).Encode(response); err != nil {`
`58`		`- zap.L().Error("Failed to encode response",`
	`58`	`+ zap.L().Error("Failed to encode response for login request",`
`59`	`59`	`zap.Error(err),`
`60`	`60`	`)`
`61`		`- http.Error(w, "Failed to encode response", http.StatusInternalServerError)`
	`61`	`+ http.Error(w, "Failed to encode response for login request", http.StatusInternalServerError)`
`62`	`62`	`return`
`63`	`63`	`}`
`64`	`64`	`}`