From 0152c43a2aa8012e40c8cfdce085bce6c7dac1b3 Mon Sep 17 00:00:00 2001
From: Serge Bazanski
Date: Mon, 27 Dec 2021 21:28:23 +0100
Subject: SECURITY: Fix path traversal in script verification

The following used to be allowed:

   scripts: https://static.rc3.world/scripts/../maps/81c8add623eea2704f20/e65b545e-342f-4be0-b369-c0eacff7b15d/re-blessed.mp3.js

This is obviously not good, as it allows scripts from arbitrary maps.
---
 lib/Properties.hs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/Properties.hs b/lib/Properties.hs
index 4b51624..345f2ba 100644
--- a/lib/Properties.hs
+++ b/lib/Properties.hs
@@ -12,7 +12,7 @@ module Properties (checkMap, checkTileset, checkLayer) where
 
 
 import           Control.Monad     (forM, forM_, unless, when)
-import           Data.Text         (Text, intercalate, isPrefixOf)
+import           Data.Text         (Text, intercalate, isPrefixOf, isInfixOf)
 import qualified Data.Text         as T
 import qualified Data.Vector       as V
 import           Tiled             (Layer (..), Object (..), Property (..),
@@ -142,7 +142,8 @@ checkMapProperty p@(Property name _) = case name of
   -- scripts can be used by one map
   _ | T.toLower name == "script" ->
       unwrapString p $ \str ->
-        unless ("https://static.rc3.world/scripts" `isPrefixOf` str)
+        unless (("https://static.rc3.world/scripts" `isPrefixOf` str) &&
+                (not $ "/../" `isInfixOf` str))
         $ forbid "only scripts hosted on static.rc3.world are allowed."
     | name `elem` ["jitsiRoom", "bbbRoom", "playAudio", "openWebsite"
                   , "url", "exitUrl", "silent", "getBadge"]
-- 
cgit v1.2.3