in internal/httpfs/http_fs.go [48:73]
func (p *fileSystemPaths) Open(name string) (http.File, error) {
// taken from http.Dir#open https://golang.org/src/net/http/fs.go?s=2108:2152#L70
if filepath.Separator != '/' && strings.ContainsRune(name, filepath.Separator) {
return nil, errInvalidChar
}
cleanedPath := filepath.FromSlash(path.Clean("/" + name))
absPath, err := filepath.Abs(cleanedPath)
if err != nil {
return nil, err
}
for _, allowedPath := range p.allowedPaths {
// allowedPath may be a single / in chroot so we need to ensure it's not double slash
if strings.HasPrefix(absPath, ensureEndingSlash(allowedPath)) {
return os.Open(absPath)
}
}
log.WithError(os.ErrPermission).Errorf("requested filepath %q not in allowed paths: %q",
absPath, strings.Join(p.allowedPaths, string(os.PathListSeparator)))
// os.ErrPermission is converted to http.StatusForbidden
// https://github.com/golang/go/blob/release-branch.go1.15/src/net/http/fs.go#L635
return nil, os.ErrPermission
}