fiber Architecture Docs
Home / Function/ sanitizePath() — fiber Function Reference

sanitizePath() — fiber Function Reference

Architecture documentation for the sanitizePath() function in static.go from the fiber codebase.

Function go FiberCore Adapters called by 1

Entity Profile

Dependency Diagram

graph TD
  4ab56980_491f_71ac_10f1_6d1ef45c4234["sanitizePath()"]
  3c44fb0a_14a9_26fb_2c78_c413f4b9d39d["static.go"]
  4ab56980_491f_71ac_10f1_6d1ef45c4234 -->|defined in| 3c44fb0a_14a9_26fb_2c78_c413f4b9d39d
  d98bccf4_de44_c71f_4e71_9c0ad58f76bb["New()"]
  d98bccf4_de44_c71f_4e71_9c0ad58f76bb -->|calls| 4ab56980_491f_71ac_10f1_6d1ef45c4234
  style 4ab56980_491f_71ac_10f1_6d1ef45c4234 fill:#6366f1,stroke:#818cf8,color:#fff

Relationship Graph

Source Code

middleware/static/static.go lines 27–115

func sanitizePath(p []byte, filesystem fs.FS) ([]byte, error) {
	var s string

	hasTrailingSlash := len(p) > 0 && p[len(p)-1] == '/'

	if bytes.IndexByte(p, '\\') >= 0 {
		b := make([]byte, len(p))
		copy(b, p)
		for i := range b {
			if b[i] == '\\' {
				b[i] = '/'
			}
		}
		s = utils.UnsafeString(b)
	} else {
		s = utils.UnsafeString(p)
	}

	// repeatedly unescape until it no longer changes, catching errors
	for strings.IndexByte(s, '%') >= 0 {
		us, err := url.PathUnescape(s)
		if err != nil {
			return nil, ErrInvalidPath
		}
		if us == s {
			break
		}
		s = us
	}

	if strings.IndexByte(s, '\\') >= 0 {
		return nil, ErrInvalidPath
	}

	// reject any null bytes
	if strings.IndexByte(s, '\x00') >= 0 {
		return nil, ErrInvalidPath
	}

	normalized := filepath.ToSlash(s)
	if filesystem == nil && strings.HasPrefix(normalized, "//") {
		return nil, ErrInvalidPath
	}

	s = pathpkg.Clean("/" + normalized)

	trimmed := utils.TrimLeft(s, '/')
	if trimmed != "" {
		if slices.Contains(strings.Split(trimmed, "/"), "..") {
			return nil, ErrInvalidPath
		}
	}

	if filesystem == nil {
		normalizedClean := filepath.ToSlash(trimmed)
		if strings.HasPrefix(normalizedClean, "//") {
			return nil, ErrInvalidPath
		}
		if volume := filepath.VolumeName(normalizedClean); volume != "" {
			return nil, ErrInvalidPath
		}
		if len(normalizedClean) >= 2 && normalizedClean[1] == ':' {
			drive := normalizedClean[0]
			if (drive >= 'a' && drive <= 'z') || (drive >= 'A' && drive <= 'Z') {
				return nil, ErrInvalidPath
			}
		}
		if strings.HasPrefix(filepath.ToSlash(s), "//") {
			return nil, ErrInvalidPath
		}
	}

	if filesystem != nil {
		s = trimmed
		if s == "" {
			return []byte("/"), nil
		}
		if !fs.ValidPath(s) {
			return nil, ErrInvalidPath
		}
		s = "/" + s

Domain

Subdomains

Defined In

Called By

Source

Frequently Asked Questions

What does sanitizePath() do?
sanitizePath() is a function in the fiber codebase, defined in middleware/static/static.go.
Where is sanitizePath() defined?
sanitizePath() is defined in middleware/static/static.go at line 27.
What calls sanitizePath()?
sanitizePath() is called by 1 function(s): New.

Analyze Your Own Codebase

Get architecture documentation, dependency graphs, and domain analysis for your codebase in minutes.

Try Supermodel Free