From 7d854832148aef67eaa5b94d9443578e71e3daec Mon Sep 17 00:00:00 2001
From: Simone Margaritelli <evilsocket@gmail.com>
Date: Thu, 22 Aug 2024 10:28:28 +0200
Subject: [PATCH] fix: expanding file path in file read api

---
 modules/api_rest/api_rest_controller.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/api_rest/api_rest_controller.go b/modules/api_rest/api_rest_controller.go
index 33d94555..0be32c0b 100644
--- a/modules/api_rest/api_rest_controller.go
+++ b/modules/api_rest/api_rest_controller.go
@@ -12,6 +12,7 @@ import (
 	"strings"
 
 	"github.com/bettercap/bettercap/v2/session"
+	"github.com/evilsocket/islazy/fs"
 
 	"github.com/gorilla/mux"
 )
@@ -426,7 +427,14 @@ func (mod *RestAPI) fileRoute(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var err error
+
 	fileName := r.URL.Query().Get("name")
+	if fileName, err = fs.Expand(fileName); err != nil {
+		mod.Warning("can't expand %s: %v", fileName, err)
+		http.Error(w, "Bad Request", 400)
+		return
+	}
 
 	if fileName != "" && r.Method == "GET" {
 		mod.readFile(fileName, w, r)