diff options
| author | Ben Brown <ben@demerara.io> | 2022-01-19 22:25:02 +0000 |
|---|---|---|
| committer | Ben Brown <ben@demerara.io> | 2022-01-19 22:41:39 +0000 |
| commit | 5d3acb6fc74f3a90058817f3226874755c788d98 (patch) | |
| tree | c5206612174395f9ccc311a47435fa452880116b | |
| parent | e49356d5a13f58dbaeefa8608d741d295997282d (diff) | |
| download | lorry-5d3acb6fc74f3a90058817f3226874755c788d98.tar.gz | |
Add check to disallow directory traversal
| -rwxr-xr-x | lorry.raw-file-importer | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lorry.raw-file-importer b/lorry.raw-file-importer index 968193a..bdb006e 100755 --- a/lorry.raw-file-importer +++ b/lorry.raw-file-importer @@ -60,7 +60,11 @@ def commit_lfs_file(raw_file, relative_path, last_commit, fast_import): # Commit the data to master commit_time = int(time.time()) basename = os.path.basename(raw_file) + # Ensure we don't allow directory traversal path = os.path.relpath(os.path.join(relative_path, basename)) + if path[0:3] == "../": + print("error: unsafe path: {}".format(path), file=sys.stderr) + sys.exit(1) fromline = 'from {}\n'.format(last_commit) if last_commit else '' |