SECURITY: Fix path traversal in script verification

The following used to be allowed: scripts: https://static.rc3.world/scripts/../maps/81c8add623eea2704f20/e65b545e-342f-4be0-b369-c0eacff7b15d/re-blessed.mp3.js This is obviously not good, as it allows scripts from arbitrary maps.

SECURITY: Fix path traversal in script verification
0152c43a · Serge Bazanski · stuebinm · 89a4aa1e · 0152c43a
Commit 0152c43a authored 3 years ago by Serge Bazanski Committed by stuebinm 3 years ago
--- a/lib/Properties.hs
+++ b/lib/Properties.hs
@@ -12,7 +12,7 @@ module Properties (checkMap, checkTileset, checkLayer) where
 import           Control.Monad     (forM, forM_, unless, when)
-import           Data.Text         (Text, intercalate, isPrefixOf)
+import           Data.Text         (Text, intercalate, isPrefixOf, isInfixOf)
 import qualified Data.Text         as T
 import qualified Data.Vector       as V
 import           Tiled             (Layer (..), Object (..), Property (..),
@@ -142,7 +142,8 @@ checkMapProperty p@(Property name _) = case name of
  -- scripts can be used by one map
  _ | T.toLower name == "script" ->
      unwrapString p $ \str ->
-        unless ("https://static.rc3.world/scripts" `isPrefixOf` str)
+        unless (("https://static.rc3.world/scripts" `isPrefixOf` str) &&
+                (not $ "/../" `isInfixOf` str))
        $ forbid "only scripts hosted on static.rc3.world are allowed."
    | name `elem` ["jitsiRoom", "bbbRoom", "playAudio", "openWebsite"
                  , "url", "exitUrl", "silent", "getBadge"]