From e64e6327ef4cfda8f612c98882fe649c02918ac7 Mon Sep 17 00:00:00 2001
From: mhsanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 21 Sep 2025 17:52:18 +0200
Subject: [PATCH] security fix: Uncontrolled data used in path expression

---
 web/service/server.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/web/service/server.go b/web/service/server.go
index 5fea423b..a268a13e 100644
--- a/web/service/server.go
+++ b/web/service/server.go
@@ -1008,7 +1008,19 @@ func (s *ServerService) UpdateGeofile(fileName string) error {
 		{"https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geoip.dat", "geoip_RU.dat"},
 		{"https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geosite.dat", "geosite_RU.dat"},
 	}
-
+	// Strict allowlist check to avoid writing uncontrolled files
+	if fileName != "" {
+		isAllowed := false
+		for _, file := range files {
+			if fileName == file.FileName {
+				isAllowed = true
+				break
+			}
+		}
+		if !isAllowed {
+			return common.NewErrorf("Invalid geofile name: %s", fileName)
+		}
+	}
 	downloadFile := func(url, destPath string) error {
 		resp, err := http.Get(url)
 		if err != nil {