summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSerge Bazanski2021-12-27 21:28:23 +0100
committerstuebinm2022-01-02 01:55:49 +0100
commit0a7b2a3181f0626b697f95cc18b9c3286305fdca (patch)
treeb165159f1d94a2031015a35b0a34611b24897d3c
parentec1ea19d54b3ff01aaf5b1e864fba670c0f01b7a (diff)
SECURITY: Fix path traversal in script verification
The following used to be allowed: scripts: https://static.rc3.world/scripts/../maps/81c8add623eea2704f20/e65b545e-342f-4be0-b369-c0eacff7b15d/re-blessed.mp3.js This is obviously not good, as it allows scripts from arbitrary maps.
Diffstat (limited to '')
-rw-r--r--lib/Properties.hs5
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/Properties.hs b/lib/Properties.hs
index 4b51624..345f2ba 100644
--- a/lib/Properties.hs
+++ b/lib/Properties.hs
@@ -12,7 +12,7 @@ module Properties (checkMap, checkTileset, checkLayer) where
import Control.Monad (forM, forM_, unless, when)
-import Data.Text (Text, intercalate, isPrefixOf)
+import Data.Text (Text, intercalate, isPrefixOf, isInfixOf)
import qualified Data.Text as T
import qualified Data.Vector as V
import Tiled (Layer (..), Object (..), Property (..),
@@ -142,7 +142,8 @@ checkMapProperty p@(Property name _) = case name of
-- scripts can be used by one map
_ | T.toLower name == "script" ->
unwrapString p $ \str ->
- unless ("https://static.rc3.world/scripts" `isPrefixOf` str)
+ unless (("https://static.rc3.world/scripts" `isPrefixOf` str) &&
+ (not $ "/../" `isInfixOf` str))
$ forbid "only scripts hosted on static.rc3.world are allowed."
| name `elem` ["jitsiRoom", "bbbRoom", "playAudio", "openWebsite"
, "url", "exitUrl", "silent", "getBadge"]