Skip to content

Fix path sanitization#518

Open
OFFTKP wants to merge 1 commit intowheremyfoodat:masterfrom
OFFTKP:fspath
Open

Fix path sanitization#518
OFFTKP wants to merge 1 commit intowheremyfoodat:masterfrom
OFFTKP:fspath

Conversation

@OFFTKP
Copy link
Copy Markdown
Collaborator

@OFFTKP OFFTKP commented Jun 4, 2024

No description provided.

@OFFTKP
Copy link
Copy Markdown
Collaborator Author

OFFTKP commented Jun 4, 2024

What did github actions screw up this time?

@wheremyfoodat
Copy link
Copy Markdown
Owner

wheremyfoodat commented Jun 4, 2024

This should probably just explicitly check for ./ instead and not increment the nesting level in that case. This implementation is broken in a different way (paths of a specific archive can access, eg the SD archive, will be able to access anything inside the emulator folder, even outside the archive)

@OFFTKP
Copy link
Copy Markdown
Collaborator Author

OFFTKP commented Jun 4, 2024

This should probably just explicitly check for ./ instead and not increment the nesting level in that case. This implementation is broken in a different way (paths of a specific archive can access, eg the SD archive, will be able to access anything inside the emulator folder, even outside the archive)

Yes, although to be fair that was already possible with your implementation and checking for ./ doesn't really fix that. Also checking for ./ isn't enough, what about paths like ///////../../../../../? The multiple forward slashes are also a potential problem so you'd have to check for that too. Why not use a ready made, safe, standard solution?

I think perhaps the change you want me to make is to make sure isSafePath checks the path is inside the current archive instead, which means taking another parameter for the archive directory we want to check for at any given time.

@OFFTKP
Copy link
Copy Markdown
Collaborator Author

OFFTKP commented Jun 4, 2024

Yes, although to be fair that was already possible with your implementation

For example /../file.txt is a safe path with the current implementation, as you add 1 for the forward slash, but that forward slash is just the base of the current archive path

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants