From 0a7b2a3181f0626b697f95cc18b9c3286305fdca Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Mon, 27 Dec 2021 21:28:23 +0100 Subject: SECURITY: Fix path traversal in script verification The following used to be allowed: scripts: https://static.rc3.world/scripts/../maps/81c8add623eea2704f20/e65b545e-342f-4be0-b369-c0eacff7b15d/re-blessed.mp3.js This is obviously not good, as it allows scripts from arbitrary maps. --- lib/Properties.hs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/Properties.hs b/lib/Properties.hs index 4b51624..345f2ba 100644 --- a/lib/Properties.hs +++ b/lib/Properties.hs @@ -12,7 +12,7 @@ module Properties (checkMap, checkTileset, checkLayer) where import Control.Monad (forM, forM_, unless, when) -import Data.Text (Text, intercalate, isPrefixOf) +import Data.Text (Text, intercalate, isPrefixOf, isInfixOf) import qualified Data.Text as T import qualified Data.Vector as V import Tiled (Layer (..), Object (..), Property (..), @@ -142,7 +142,8 @@ checkMapProperty p@(Property name _) = case name of -- scripts can be used by one map _ | T.toLower name == "script" -> unwrapString p $ \str -> - unless ("https://static.rc3.world/scripts" `isPrefixOf` str) + unless (("https://static.rc3.world/scripts" `isPrefixOf` str) && + (not $ "/../" `isInfixOf` str)) $ forbid "only scripts hosted on static.rc3.world are allowed." | name `elem` ["jitsiRoom", "bbbRoom", "playAudio", "openWebsite" , "url", "exitUrl", "silent", "getBadge"] -- cgit v1.2.3