diff options
author | Serge Bazanski | 2021-12-27 21:28:23 +0100 |
---|---|---|
committer | stuebinm | 2022-01-02 01:55:49 +0100 |
commit | 0a7b2a3181f0626b697f95cc18b9c3286305fdca (patch) | |
tree | b165159f1d94a2031015a35b0a34611b24897d3c | |
parent | ec1ea19d54b3ff01aaf5b1e864fba670c0f01b7a (diff) |
SECURITY: Fix path traversal in script verification
The following used to be allowed:
scripts: https://static.rc3.world/scripts/../maps/81c8add623eea2704f20/e65b545e-342f-4be0-b369-c0eacff7b15d/re-blessed.mp3.js
This is obviously not good, as it allows scripts from arbitrary maps.
Diffstat (limited to '')
-rw-r--r-- | lib/Properties.hs | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/Properties.hs b/lib/Properties.hs index 4b51624..345f2ba 100644 --- a/lib/Properties.hs +++ b/lib/Properties.hs @@ -12,7 +12,7 @@ module Properties (checkMap, checkTileset, checkLayer) where import Control.Monad (forM, forM_, unless, when) -import Data.Text (Text, intercalate, isPrefixOf) +import Data.Text (Text, intercalate, isPrefixOf, isInfixOf) import qualified Data.Text as T import qualified Data.Vector as V import Tiled (Layer (..), Object (..), Property (..), @@ -142,7 +142,8 @@ checkMapProperty p@(Property name _) = case name of -- scripts can be used by one map _ | T.toLower name == "script" -> unwrapString p $ \str -> - unless ("https://static.rc3.world/scripts" `isPrefixOf` str) + unless (("https://static.rc3.world/scripts" `isPrefixOf` str) && + (not $ "/../" `isInfixOf` str)) $ forbid "only scripts hosted on static.rc3.world are allowed." | name `elem` ["jitsiRoom", "bbbRoom", "playAudio", "openWebsite" , "url", "exitUrl", "silent", "getBadge"] |