From 72c27559272a9d72f151377e66ea5bf8e489ed62 Mon Sep 17 00:00:00 2001
From: Felix Eckhofer <felix@eckhofer.com>
Date: Thu, 26 Dec 2024 14:01:50 +0100
Subject: [PATCH] Secure against directory traversal

We're using checksum as file name and verify that all
externally-controllable path components are harmless.
---
 app/models/filedrop_file.rb | 3 ++-
 app/models/session.rb       | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/models/filedrop_file.rb b/app/models/filedrop_file.rb
index 39f72ba..235a5b1 100644
--- a/app/models/filedrop_file.rb
+++ b/app/models/filedrop_file.rb
@@ -1,5 +1,6 @@
 class FiledropFile < ApplicationRecord
   belongs_to :session
+  validates :checksum, presence: true, format: { with: /\A[0-9a-fA-F]+\z/, message: "only allows hexadecimal characters" }
 
   def sanitize_filename(filename)
     filename.gsub(/[^\w\s.-]/, '_')
@@ -36,6 +37,6 @@ class FiledropFile < ApplicationRecord
       session.ref_id
     )
     FileUtils.mkdir_p(dir)
-    return File.join(dir, name)
+    return File.join(dir, checksum)
   end
 end
diff --git a/app/models/session.rb b/app/models/session.rb
index c531172..ffeaad4 100644
--- a/app/models/session.rb
+++ b/app/models/session.rb
@@ -13,6 +13,7 @@ class Session < ApplicationRecord
   scope :future, -> { where(starts_at: Time.now..) }
 
   validates :ref_id, uniqueness: { scope: :conference_id }
+  validates :ref_id, format: { with: /\A[0-9a-fA-F-]+\z/, message: "only allows hexadecimal characters and minus" }
 
   after_update :notify_if_changed
 
-- 
GitLab