SECURITY: Fix path traversal in script verification

The following used to be allowed: scripts: https://static.rc3.world/scripts/../maps/81c8add623eea2704f20/e65b545e-342f-4be0-b369-c0eacff7b15d/re-blessed.mp3.js This is obviously not good, as it allows scripts from arbitrary maps.
author: Serge Bazanski 2021-12-27 21:28:23 +0100
committer: stuebinm 2021-12-27 21:36:23 +0100
commit: 0152c43a2aa8012e40c8cfdce085bce6c7dac1b3 (patch)
tree: b165159f1d94a2031015a35b0a34611b24897d3c
parent: 89a4aa1e911e6e67cbbea09c4c72bb95701c02ed (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/Properties.hs b/lib/Properties.hs
index 4b51624..345f2ba 100644
--- a/lib/Properties.hs
+++ b/lib/Properties.hs
@@ -12,7 +12,7 @@ module Properties (checkMap, checkTileset, checkLayer) where
 
 
 import           Control.Monad     (forM, forM_, unless, when)
-import           Data.Text         (Text, intercalate, isPrefixOf)
+import           Data.Text         (Text, intercalate, isPrefixOf, isInfixOf)
 import qualified Data.Text         as T
 import qualified Data.Vector       as V
 import           Tiled             (Layer (..), Object (..), Property (..),
@@ -142,7 +142,8 @@ checkMapProperty p@(Property name _) = case name of
   -- scripts can be used by one map
   _ | T.toLower name == "script" ->
       unwrapString p $ \str ->
-        unless ("https://static.rc3.world/scripts" `isPrefixOf` str)
+        unless (("https://static.rc3.world/scripts" `isPrefixOf` str) &&
+                (not $ "/../" `isInfixOf` str))
         $ forbid "only scripts hosted on static.rc3.world are allowed."
     | name `elem` ["jitsiRoom", "bbbRoom", "playAudio", "openWebsite"
                   , "url", "exitUrl", "silent", "getBadge"]
author	Serge Bazanski	2021-12-27 21:28:23 +0100
committer	stuebinm	2021-12-27 21:36:23 +0100
commit	0152c43a2aa8012e40c8cfdce085bce6c7dac1b3 (patch)
tree	b165159f1d94a2031015a35b0a34611b24897d3c
parent	89a4aa1e911e6e67cbbea09c4c72bb95701c02ed (diff)