From 7c3f387418830b6a51fceb66c4d7061e6202c259 Mon Sep 17 00:00:00 2001
From: moloch-- <875022+moloch--@users.noreply.github.com>
Date: Tue, 16 Apr 2024 11:58:57 -0700
Subject: [PATCH 1/2] Fix path traversal

---
 store.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/store.go b/store.go
index aea37e4..774cafd 100644
--- a/store.go
+++ b/store.go
@@ -257,7 +257,7 @@ func (s *FilesystemStore) save(session *Session) error {
 	if err != nil {
 		return err
 	}
-	filename := filepath.Join(s.path, "session_"+session.ID)
+	filename := filepath.Join(s.path, filepath.Base("session_"+session.ID))
 	fileMutex.Lock()
 	defer fileMutex.Unlock()
 	return os.WriteFile(filename, []byte(encoded), 0600)
@@ -265,7 +265,7 @@ func (s *FilesystemStore) save(session *Session) error {
 
 // load reads a file and decodes its content into session.Values.
 func (s *FilesystemStore) load(session *Session) error {
-	filename := filepath.Join(s.path, "session_"+session.ID)
+	filename := filepath.Join(s.path, filepath.Base("session_"+session.ID))
 	fileMutex.RLock()
 	defer fileMutex.RUnlock()
 	fdata, err := os.ReadFile(filepath.Clean(filename))
@@ -281,7 +281,7 @@ func (s *FilesystemStore) load(session *Session) error {
 
 // delete session file
 func (s *FilesystemStore) erase(session *Session) error {
-	filename := filepath.Join(s.path, "session_"+session.ID)
+	filename := filepath.Join(s.path, filepath.Base("session_"+session.ID))
 
 	fileMutex.RLock()
 	defer fileMutex.RUnlock()

From 020a64f153182d7922ed9a9a3e13105e07b4ce6d Mon Sep 17 00:00:00 2001
From: moloch-- <875022+moloch--@users.noreply.github.com>
Date: Wed, 17 Apr 2024 09:20:04 -0700
Subject: [PATCH 2/2] Ensure session file prefix is added to file name

---
 store.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/store.go b/store.go
index 774cafd..68d4ce5 100644
--- a/store.go
+++ b/store.go
@@ -14,6 +14,11 @@ import (
 	"github.com/gorilla/securecookie"
 )
 
+const (
+	// File name prefix for session files.
+	sessionFilePrefix = "session_"
+)
+
 // Store is an interface for custom session stores.
 //
 // See CookieStore and FilesystemStore for examples.
@@ -257,7 +262,7 @@ func (s *FilesystemStore) save(session *Session) error {
 	if err != nil {
 		return err
 	}
-	filename := filepath.Join(s.path, filepath.Base("session_"+session.ID))
+	filename := filepath.Join(s.path, sessionFilePrefix+filepath.Base(session.ID))
 	fileMutex.Lock()
 	defer fileMutex.Unlock()
 	return os.WriteFile(filename, []byte(encoded), 0600)
@@ -265,7 +270,7 @@ func (s *FilesystemStore) save(session *Session) error {
 
 // load reads a file and decodes its content into session.Values.
 func (s *FilesystemStore) load(session *Session) error {
-	filename := filepath.Join(s.path, filepath.Base("session_"+session.ID))
+	filename := filepath.Join(s.path, sessionFilePrefix+filepath.Base(session.ID))
 	fileMutex.RLock()
 	defer fileMutex.RUnlock()
 	fdata, err := os.ReadFile(filepath.Clean(filename))
@@ -281,7 +286,7 @@ func (s *FilesystemStore) load(session *Session) error {
 
 // delete session file
 func (s *FilesystemStore) erase(session *Session) error {
-	filename := filepath.Join(s.path, filepath.Base("session_"+session.ID))
+	filename := filepath.Join(s.path, sessionFilePrefix+filepath.Base(session.ID))
 
 	fileMutex.RLock()
 	defer fileMutex.RUnlock()