From 72c27559272a9d72f151377e66ea5bf8e489ed62 Mon Sep 17 00:00:00 2001 From: Felix Eckhofer <felix@eckhofer.com> Date: Thu, 26 Dec 2024 14:01:50 +0100 Subject: [PATCH] Secure against directory traversal We're using checksum as file name and verify that all externally-controllable path components are harmless. --- app/models/filedrop_file.rb | 3 ++- app/models/session.rb | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app/models/filedrop_file.rb b/app/models/filedrop_file.rb index 39f72ba..235a5b1 100644 --- a/app/models/filedrop_file.rb +++ b/app/models/filedrop_file.rb @@ -1,5 +1,6 @@ class FiledropFile < ApplicationRecord belongs_to :session + validates :checksum, presence: true, format: { with: /\A[0-9a-fA-F]+\z/, message: "only allows hexadecimal characters" } def sanitize_filename(filename) filename.gsub(/[^\w\s.-]/, '_') @@ -36,6 +37,6 @@ class FiledropFile < ApplicationRecord session.ref_id ) FileUtils.mkdir_p(dir) - return File.join(dir, name) + return File.join(dir, checksum) end end diff --git a/app/models/session.rb b/app/models/session.rb index c531172..ffeaad4 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -13,6 +13,7 @@ class Session < ApplicationRecord scope :future, -> { where(starts_at: Time.now..) } validates :ref_id, uniqueness: { scope: :conference_id } + validates :ref_id, format: { with: /\A[0-9a-fA-F-]+\z/, message: "only allows hexadecimal characters and minus" } after_update :notify_if_changed -- GitLab