From b05c3c8c42eb681f1586824e1887ea74845f6154 Mon Sep 17 00:00:00 2001 From: Zack Date: Mon, 20 May 2024 08:23:21 -0700 Subject: [PATCH] fix: client quits when discovering dangerous paths --- src/croc/croc.go | 12 ++++++++++++ src/utils/utils.go | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/src/croc/croc.go b/src/croc/croc.go index 24e414b5..f3f68952 100644 --- a/src/croc/croc.go +++ b/src/croc/croc.go @@ -1092,6 +1092,18 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error c.EmptyFoldersToTransfer = senderInfo.EmptyFoldersToTransfer c.TotalNumberFolders = senderInfo.TotalNumberFolders c.FilesToTransfer = senderInfo.FilesToTransfer + for i, fi := range c.FilesToTransfer { + // Issues #593 - sanitize the sender paths and prevent ".." from being used + c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote) + if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") { + return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) + } + // Issues #593 - disallow specific folders like .ssh + if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") { + return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) + } + + } c.TotalNumberOfContents = 0 if c.FilesToTransfer != nil { c.TotalNumberOfContents += len(c.FilesToTransfer) diff --git a/src/utils/utils.go b/src/utils/utils.go index 75a1f122..4b6cf8a8 100644 --- a/src/utils/utils.go +++ b/src/utils/utils.go @@ -438,6 +438,12 @@ func UnzipDirectory(destination string, source string) error { filePath := filepath.Join(destination, f.Name) fmt.Fprintf(os.Stderr, "\r\033[2K") fmt.Fprintf(os.Stderr, "\rUnzipping file %s", filePath) + // Issue #593 conceal path traversal vulnerability + // make sure the filepath does not have ".." + filePath = filepath.Clean(filePath) + if strings.Contains(filePath, "..") { + log.Fatalf("Invalid file path %s\n", filePath) + } if f.FileInfo().IsDir() { os.MkdirAll(filePath, os.ModePerm) continue