Merge pull request #697 from schollz/issue593

fix: client quits when discovering dangerous paths
schollz · May 20, 2024 · 3f12f75 · 3f12f75
2 parents accb310 + a591833
commit 3f12f75
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/src/croc/croc.go b/src/croc/croc.go
@@ -1092,6 +1092,22 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
 	c.EmptyFoldersToTransfer = senderInfo.EmptyFoldersToTransfer
 	c.TotalNumberFolders = senderInfo.TotalNumberFolders
 	c.FilesToTransfer = senderInfo.FilesToTransfer
+	for i, fi := range c.FilesToTransfer {
+		// Issues #593 - sanitize the sender paths and prevent ".." from being used
+		c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote)
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		// Issues #593 - disallow specific folders like .ssh
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		// Issue #595 - disallow filenames with anything but 0-9a-zA-Z.-_. and / characters
+
+		if !utils.ValidFileName(path.Join(c.FilesToTransfer[i].FolderRemote, fi.Name)) {
+			return true, fmt.Errorf("invalid filename detected: '%s'", fi.Name)
+		}
+	}
 	c.TotalNumberOfContents = 0
 	if c.FilesToTransfer != nil {
 		c.TotalNumberOfContents += len(c.FilesToTransfer)

diff --git a/src/utils/utils.go b/src/utils/utils.go
@@ -438,6 +438,12 @@ func UnzipDirectory(destination string, source string) error {
 		filePath := filepath.Join(destination, f.Name)
 		fmt.Fprintf(os.Stderr, "\r\033[2K")
 		fmt.Fprintf(os.Stderr, "\rUnzipping file %s", filePath)
+		// Issue #593 conceal path traversal vulnerability
+		// make sure the filepath does not have ".."
+		filePath = filepath.Clean(filePath)
+		if strings.Contains(filePath, "..") {
+			log.Fatalf("Invalid file path %s\n", filePath)
+		}
 		if f.FileInfo().IsDir() {
 			os.MkdirAll(filePath, os.ModePerm)
 			continue
@@ -467,3 +473,18 @@ func UnzipDirectory(destination string, source string) error {
 	fmt.Fprintf(os.Stderr, "\n")
 	return nil
 }
+
+// ValidFileName checks if a filename is valid
+// and returns true only if it all of the characters are either
+// 0-9, a-z, A-Z, ., _, -, space, or /
+func ValidFileName(fname string) bool {
+	for _, r := range fname {
+		if !((r >= '0' && r <= '9') ||
+			(r >= 'a' && r <= 'z') ||
+			(r >= 'A' && r <= 'Z') ||
+			r == '.' || r == '_' || r == '-' || r == ' ' || r == '/') {
+			return false
+		}
+	}
+	return true
+}