fix: sanitize absolute paths from etherscan (#1603)

This commit is contained in:
Bjerg 2022-08-17 23:15:00 +02:00 committed by GitHub
parent 1bb8fae4c1
commit 92b51b6d9f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 3 deletions

View File

@ -37,10 +37,13 @@ impl SourceTree {
/// Remove any components in a smart contract source path that could cause a directory traversal. /// Remove any components in a smart contract source path that could cause a directory traversal.
fn sanitize_path(path: &Path) -> PathBuf { fn sanitize_path(path: &Path) -> PathBuf {
Path::new(path) let sanitized = Path::new(path)
.components() .components()
.filter(|x| x.as_os_str() != Component::ParentDir.as_os_str()) .filter(|x| x.as_os_str() != Component::ParentDir.as_os_str())
.collect::<PathBuf>() .collect::<PathBuf>();
// Force absolute paths to be relative
sanitized.strip_prefix("/").map(PathBuf::from).unwrap_or(sanitized)
} }
#[cfg(test)] #[cfg(test)]
@ -81,14 +84,19 @@ mod tests {
path: PathBuf::from("../b/../b.sol"), path: PathBuf::from("../b/../b.sol"),
contents: String::from("Test 2"), contents: String::from("Test 2"),
}, },
SourceTreeEntry {
path: PathBuf::from("/c/c.sol"),
contents: String::from("Test 3"),
},
], ],
}; };
st.write_to(tempdir.path()).unwrap(); st.write_to(tempdir.path()).unwrap();
let written_paths = read_dir(tempdir.path()).unwrap(); let written_paths = read_dir(tempdir.path()).unwrap();
let paths: Vec<PathBuf> = let paths: Vec<PathBuf> =
written_paths.into_iter().filter_map(|x| x.ok()).map(|x| x.path()).collect(); written_paths.into_iter().filter_map(|x| x.ok()).map(|x| x.path()).collect();
assert_eq!(paths.len(), 2); assert_eq!(paths.len(), 3);
assert!(paths.contains(&tempdir.path().join("a"))); assert!(paths.contains(&tempdir.path().join("a")));
assert!(paths.contains(&tempdir.path().join("b"))); assert!(paths.contains(&tempdir.path().join("b")));
assert!(paths.contains(&tempdir.path().join("c")));
} }
} }