Update codeberg.org/gruf libraries and fix go-store issue #347
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: kim <grufwub@gmail.com>
Signed-off-by: kim <grufwub@gmail.com>
NyaaaWhatsUpDoc
commented
Dec 15, 2021
| // than store root, this is an error | ||
| if util.CountDotdots(pb.StringPtr()) > st.dots { | ||
| // Check for dir traversal outside of root | ||
| if util.IsDirTraversal(st.path, pb.StringPtr()) { |
There was a problem hiding this comment.
So here is where the dir traversal check is being performed. Next comment will be the implementation of said function
NyaaaWhatsUpDoc
commented
Dec 15, 2021
| var dotdot = "../" | ||
| // IsDirTraversal will check if rootPlusPath is a dir traversal outside of root, | ||
| // assuming that both are cleaned and that rootPlusPath is path.Join(root, somePath) | ||
| func IsDirTraversal(root string, rootPlusPath string) bool { |
There was a problem hiding this comment.
This is the dir traversal check function.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes a critical issue in the codeberg.org/gruf/go-store library in which path traversal would have been possible. Fortunately this doesn't work with our HTTP muxer but still something that's worth fixing!
I will leave a comment below in the relevant vendored code that's worth checking.
This has passed my own module's tests but it's still worth checking that this doesn't cause any fileserver path issues on a test instance.