assert download file path is subpath of server dir

nothub · Jan 31, 2023 · a1f424b · a1f424b
1 parent 2b4e675
commit a1f424b
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -180,6 +180,17 @@ var rootCmd = &cobra.Command{
 		if err != nil {
 			log.Fatalln(err)
 		}
+
+		for _, file := range index.Files {
+			ok, err := util.PathIsSubpath(file.Path, serverDir)
+			if err != nil {
+				log.Println(err)
+			}
+			if err != nil || !ok {
+				log.Fatalln("File path is not safe: " + file.Path)
+			}
+		}
+
 		fmt.Println("Installing:", index.Name)
 		fmt.Printf("Flavor dependencies: %+v\n", index.Dependencies)
 

diff --git a/cmd/update.go b/cmd/update.go
@@ -147,6 +147,17 @@ var updateCmd = &cobra.Command{
 		if err != nil {
 			log.Fatalln(err)
 		}
+
+		for path, _ := range newModPackInfo.File {
+			ok, err := util.PathIsSubpath(string(path), serverDir)
+			if err != nil {
+				log.Println(err)
+			}
+			if err != nil || !ok {
+				log.Fatalln("File path is not safe: " + path)
+			}
+		}
+
 		err = newModPackInfo.Write(path.Join(serverDir, "modpack.json.update"))
 		if err != nil {
 			log.Fatalln(err)

diff --git a/util/file.go b/util/file.go
@@ -31,6 +31,20 @@ func PathIsDir(path string) bool {
 	return info.Mode().IsDir()
 }
 
+func PathIsSubpath(path string, basePath string) (bool, error) {
+	absBasePath, err := filepath.Abs(basePath)
+	if err != nil {
+		return false, err
+	}
+
+	_, err = filepath.Rel(absBasePath, path)
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
 func FileDetection(hash string, path string) DetectType {
 	_, err := os.Stat(path)
 	if err != nil {