mirrors_public/schollz_croc
0
0
Fork 0
mirror of https://github.com/schollz/croc.git synced 2025-10-11 13:21:00 +02:00
Code Activity

Merge pull request #697 from schollz/issue593

Browse source 
fix: client quits when discovering dangerous paths
This commit is contained in:
Zack 2024-05-20 09:52:58 -07:00 committed by GitHub
commit 3f12f75fae
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 37 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/croc/croc.go
View file

@ -1092,6 +1092,22 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
c.EmptyFoldersToTransfer = senderInfo.EmptyFoldersToTransfer c.EmptyFoldersToTransfer = senderInfo.EmptyFoldersToTransfer
c.TotalNumberFolders = senderInfo.TotalNumberFolders c.TotalNumberFolders = senderInfo.TotalNumberFolders
c.FilesToTransfer = senderInfo.FilesToTransfer c.FilesToTransfer = senderInfo.FilesToTransfer
for i, fi := range c.FilesToTransfer {
// Issues #593 - sanitize the sender paths and prevent ".." from being used
c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote)
if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") {
return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
}
// Issues #593 - disallow specific folders like .ssh
if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") {
return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
}
// Issue #595 - disallow filenames with anything but 0-9a-zA-Z.-_. and / characters
if !utils.ValidFileName(path.Join(c.FilesToTransfer[i].FolderRemote, fi.Name)) {
return true, fmt.Errorf("invalid filename detected: '%s'", fi.Name)
}
}
c.TotalNumberOfContents = 0 c.TotalNumberOfContents = 0
if c.FilesToTransfer != nil { if c.FilesToTransfer != nil {
c.TotalNumberOfContents += len(c.FilesToTransfer) c.TotalNumberOfContents += len(c.FilesToTransfer)

21
src/utils/utils.go
View file

@ -438,6 +438,12 @@ func UnzipDirectory(destination string, source string) error {
filePath := filepath.Join(destination, f.Name) filePath := filepath.Join(destination, f.Name)
fmt.Fprintf(os.Stderr, "\r\033[2K") fmt.Fprintf(os.Stderr, "\r\033[2K")
fmt.Fprintf(os.Stderr, "\rUnzipping file %s", filePath) fmt.Fprintf(os.Stderr, "\rUnzipping file %s", filePath)
// Issue #593 conceal path traversal vulnerability
// make sure the filepath does not have ".."
filePath = filepath.Clean(filePath)
if strings.Contains(filePath, "..") {
log.Fatalf("Invalid file path %s\n", filePath)
}
if f.FileInfo().IsDir() { if f.FileInfo().IsDir() {
os.MkdirAll(filePath, os.ModePerm) os.MkdirAll(filePath, os.ModePerm)
continue continue
@ -467,3 +473,18 @@ func UnzipDirectory(destination string, source string) error {
fmt.Fprintf(os.Stderr, "\n") fmt.Fprintf(os.Stderr, "\n")
return nil return nil
} }
// ValidFileName checks if a filename is valid
// and returns true only if it all of the characters are either
// 0-9, a-z, A-Z, ., _, -, space, or /
func ValidFileName(fname string) bool {
for _, r := range fname {
if !((r >= '0' && r <= '9') ||
(r >= 'a' && r <= 'z') ||
(r >= 'A' && r <= 'Z') ||
r == '.' || r == '_' || r == '-' || r == ' ' || r == '/') {
return false
}
}
return true
}