Merge pull request #1828 from OpenC3/bug/sanitize-params-parent-dir

Disallow parent dir path in sanitize_params
OpenC3 · Jan 15, 2025 · 2fcef55 · 2fcef55
2 parents 0f71247 + fc7e113
commit 2fcef55
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/openc3-cosmos-cmd-tlm-api/app/controllers/application_controller.rb b/openc3-cosmos-cmd-tlm-api/app/controllers/application_controller.rb
@@ -57,7 +57,7 @@ def authorization(permission, target_name: nil, perform_render: true)
     end
   end
 
-  def sanitize_params(param_list, require_params: true, allow_forward_slash: false)
+  def sanitize_params(param_list, require_params: true, allow_forward_slash: false, allow_parent_dir: false)
     if require_params
       result = params.require(param_list)
     else
@@ -78,6 +78,9 @@ def sanitize_params(param_list, require_params: true, allow_forward_slash: false
         else
           value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-")
         end
+        if not allow_parent_dir
+          value = value.gsub(/(\.|%2e){2}/i, "-")
+        end
         if value != arg
           render json: { status: 'error', message: "Invalid #{param_list[index]}: #{arg}" }, status: 400
           return false

diff --git a/openc3-cosmos-script-runner-api/app/controllers/application_controller.rb b/openc3-cosmos-script-runner-api/app/controllers/application_controller.rb
@@ -68,7 +68,7 @@ def authorization(permission, target_name: nil)
     return true
   end
 
-  def sanitize_params(param_list, require_params: true, allow_forward_slash: false)
+  def sanitize_params(param_list, require_params: true, allow_forward_slash: false, allow_parent_dir: false)
     if require_params
       result = params.require(param_list)
     else
@@ -89,6 +89,9 @@ def sanitize_params(param_list, require_params: true, allow_forward_slash: false
         else
           value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-")
         end
+        if not allow_parent_dir
+          value = value.gsub(/(\.|%2e){2}/i, "-")
+        end
         if value != arg
           render json: { status: 'error', message: "Invalid #{param_list[index]}: #{arg}" }, status: 400
           return false