Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better validation for input/output paths #29

Open
ghost opened this issue Jul 2, 2021 · 0 comments
Open

Better validation for input/output paths #29

ghost opened this issue Jul 2, 2021 · 0 comments
Labels
cat-bug scope-tool For the doc-kit tool itself

Comments

@ghost
Copy link

ghost commented Jul 2, 2021

  • Doc Kit 0.5 now uses an additional regex charclass_files_strict to try to avoid writing to out-of-scope output paths on the user's machine. However, it does not quite protect against enough cases.
    ../ is caught at the beginning of the string but will not be caught, e.g. after a leading ./ or within some/path/../../../../../now/we/are/very/far/up.
    There may be other issues I did not think about.

  • For the input paths, we use charclass_files_relaxed and that intentionally allows a leading ../, however, even there, we still should not allow e.g. ../../ because then we're outside the repo and it does not make sense anymore.
@ghost ghost added the cat-bug label Jul 2, 2021
@ghost ghost changed the title tool: Better validation for input/output paths Better validation for input/output paths Jul 2, 2021
@ghost ghost added the scope-tool For the doc-kit tool itself label Jul 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cat-bug scope-tool For the doc-kit tool itself
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants