fix: client quits when discovering dangerous paths

2024-11-23 23:54:17 +03:00 · 2024-05-20 08:23:21 -07:00 · 2024-05-20 08:23:21 -07:00 · b05c3c8c42
commit b05c3c8c42
parent 13bc190f8b
2 changed files with 18 additions and 0 deletions
--- a/src/croc/croc.go
+++ b/src/croc/croc.go
@ -1092,6 +1092,18 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
 	c.EmptyFoldersToTransfer = senderInfo.EmptyFoldersToTransfer
 	c.TotalNumberFolders = senderInfo.TotalNumberFolders
 	c.FilesToTransfer = senderInfo.FilesToTransfer
+	for i, fi := range c.FilesToTransfer {
+		// Issues #593 - sanitize the sender paths and prevent ".." from being used
+		c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote)
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		// Issues #593 - disallow specific folders like .ssh
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+
+	}
 	c.TotalNumberOfContents = 0
 	if c.FilesToTransfer != nil {
 		c.TotalNumberOfContents += len(c.FilesToTransfer)
--- a/src/utils/utils.go
+++ b/src/utils/utils.go
@ -438,6 +438,12 @@ func UnzipDirectory(destination string, source string) error {
 		filePath := filepath.Join(destination, f.Name)
 		fmt.Fprintf(os.Stderr, "\r\033[2K")
 		fmt.Fprintf(os.Stderr, "\rUnzipping file %s", filePath)
+		// Issue #593 conceal path traversal vulnerability
+		// make sure the filepath does not have ".."
+		filePath = filepath.Clean(filePath)
+		if strings.Contains(filePath, "..") {
+			log.Fatalf("Invalid file path %s\n", filePath)
+		}
 		if f.FileInfo().IsDir() {
 			os.MkdirAll(filePath, os.ModePerm)
 			continue