Fix GHSL-2024-182 - don't allow path traversal on upload_file

owen2345 · Aug 12, 2024 · b3b12b1 · b3b12b1
1 parent a916fae
commit b3b12b1
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/app/helpers/camaleon_cms/uploader_helper.rb b/app/helpers/camaleon_cms/uploader_helper.rb
@@ -58,6 +58,9 @@ def upload_file(uploaded_io, settings = {})
       hooks_run('before_upload', settings)
       res = { error: nil }
 
+      # guard against path traversal
+      return { error: 'Invalid file path' } unless cama_uploader.class.valid_folder_path?(settings[:folder])
+
       # formats validations
       return { error: "#{ct('file_format_error')} (#{settings[:formats]})" } unless cama_uploader.class.validate_file_format(
         uploaded_io.path, settings[:formats]

diff --git a/app/uploaders/camaleon_cms_uploader.rb b/app/uploaders/camaleon_cms_uploader.rb
@@ -125,6 +125,12 @@ def self.validate_file_format(key, valid_formats = '*')
     valid_formats.include?(File.extname(key).sub('.', '').split('?').first.try(:downcase))
   end
 
+  def self.valid_folder_path?(path)
+    return false if path.include?("..") || File.absolute_path?(path) || path.include?("://")
+
+    true
+  end
+
   # verify if this file name already exist
   # if the file is already exist, return a new name for this file
   # sample: search_new_key("my_file/file.txt")