Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent Path Traversal #6390

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Prevent Path Traversal #6390

wants to merge 2 commits into from

Conversation

bhaskarvilles
Copy link
Contributor

@bhaskarvilles bhaskarvilles commented Aug 11, 2024
edited
Loading

sanitizePath Function: This function checks if the file path is valid and safely contained within an allowed directory. It converts the path to an absolute path, resolves any symlinks, and checks if the path starts with the specified allowed directory.

Issues (Related Issues)

Unsanitized input from a CLI argument flows into os.ReadFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.

close

(Proposed Changes)

sanitizePath Function: This function checks if the file path is valid and safely contained within an allowed directory. It converts the path to an absolute path, resolves any symlinks, and checks if the path starts with the specified allowed directory.

Safety Directory: The allowedDir variable should be set to a directory that you control and where you expect valid files to be. This prevents the user from accessing files outside of this directory.

Error Handling: If the path is invalid or attempts to traverse outside the allowed directory, an error is returned, and the program exits gracefully.

自查清单 (Checklist)

在你认为本 PR 满足被审阅的标准之前,需要确保 / Before you mark the PR ready for review, please make sure that:

  • 符合Venus项目管理规范中关于PR的相关标准 / The PR follows the PR standards set out in the Venus project management guidelines
  • 具有清晰明确的commit message / All commits have a clear commit message.
  • 包含相关的的测试用例或者不需要新增测试用例 / This PR has tests for new functionality or change in behaviour or not need to add new tests.
  • 存在兼容性问题(接口, 配置,数据,灰度),如果存在需要进行文档说明 / This PR has compatibility issues (API, Configuration, Data, GrayRelease), if so, need to be documented.
  • 包含相关的的指南以及文档或者不需要新增文档 / This PR has updated usage guidelines and documentation or not need
  • 通过必要的检查项 / All checks are green

@bhaskarvilles
Prevent Path Traversal
daf136f 
sanitizePath Function: This function checks if the file path is valid and safely contained within an allowed directory.
It converts the path to an absolute path, resolves any symlinks, and checks if the path starts with the specified allowed directory.
@codecov-commenter
Copy link

codecov-commenter commented Aug 11, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 25%. Comparing base (c4ac18f) to head (135c26f).

Additional details and impacted files 
@@          Coverage Diff           @@
##           master   #6390   +/-   ##
======================================
- Coverage      25%     25%   -1%     
======================================
  Files         678     678           
  Lines       68289   68289           
======================================
- Hits        17674   17669    -5     
- Misses      47801   47804    +3     
- Partials     2814    2816    +2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bhaskarvilles @codecov-commenter