From 08971caa5afde082de9e95c333c0f32fe76698a8 Mon Sep 17 00:00:00 2001 From: arctic_hen7 Date: Mon, 20 Sep 2021 17:01:59 +1000 Subject: [PATCH] =?UTF-8?q?fix:=20=F0=9F=94=92=20disallowed=20`static=5Fal?= =?UTF-8?q?iases`=20outside=20current=20directory?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise we could include `/etc/passwd`, which is **very** bad. --- packages/perseus/src/macros.rs | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/packages/perseus/src/macros.rs b/packages/perseus/src/macros.rs index e4c164b6e4..ea3fd0e97b 100644 --- a/packages/perseus/src/macros.rs +++ b/packages/perseus/src/macros.rs @@ -117,13 +117,16 @@ macro_rules! define_get_static_aliases { // We need to move this from being scoped to the app to being scoped for `.perseus/` // TODO make sure this works properly on Windows let resource = if resource.starts_with("/") { - // Absolute paths should be left as is - resource + // Absolute paths are a security risk and are disallowed + panic!("it's a security risk to include absolute paths in `static_aliases`"); + } else if resource.starts_with("../") { + // Anything outside this directory is a security risk as well + panic!("it's a security risk to include paths outside the current directory in `static_aliases`"); } else if resource.starts_with("./") { - // `./` -> `../` + // `./` -> `../` (moving to execution from `.perseus/`) format!(".{}", resource) } else { - // Anything else (including `../`) gets a `../` prepended + // Anything else gets a `../` prepended format!("../{}", resource) }; static_aliases.insert($url.to_string(), resource);