From fc7e11310a7cdf9f1939886e1b29009db4d4b718 Mon Sep 17 00:00:00 2001
From: Ryan Pratt <ryan.pratt@openc3.com>
Date: Mon, 13 Jan 2025 14:46:24 -0700
Subject: [PATCH] Disallow parent dir path in sanitize_params

---
 .../app/controllers/application_controller.rb                | 5 ++++-
 .../app/controllers/application_controller.rb                | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/openc3-cosmos-cmd-tlm-api/app/controllers/application_controller.rb b/openc3-cosmos-cmd-tlm-api/app/controllers/application_controller.rb
index 1877c29a9a..7608538fcd 100644
--- a/openc3-cosmos-cmd-tlm-api/app/controllers/application_controller.rb
+++ b/openc3-cosmos-cmd-tlm-api/app/controllers/application_controller.rb
@@ -57,7 +57,7 @@ def authorization(permission, target_name: nil, perform_render: true)
     end
   end
 
-  def sanitize_params(param_list, require_params: true, allow_forward_slash: false)
+  def sanitize_params(param_list, require_params: true, allow_forward_slash: false, allow_parent_dir: false)
     if require_params
       result = params.require(param_list)
     else
@@ -78,6 +78,9 @@ def sanitize_params(param_list, require_params: true, allow_forward_slash: false
         else
           value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-")
         end
+        if not allow_parent_dir
+          value = value.gsub(/(\.|%2e){2}/i, "-")
+        end
         if value != arg
           render json: { status: 'error', message: "Invalid #{param_list[index]}: #{arg}" }, status: 400
           return false
diff --git a/openc3-cosmos-script-runner-api/app/controllers/application_controller.rb b/openc3-cosmos-script-runner-api/app/controllers/application_controller.rb
index 55d58e5efe..b13c4b4aae 100644
--- a/openc3-cosmos-script-runner-api/app/controllers/application_controller.rb
+++ b/openc3-cosmos-script-runner-api/app/controllers/application_controller.rb
@@ -68,7 +68,7 @@ def authorization(permission, target_name: nil)
     return true
   end
 
-  def sanitize_params(param_list, require_params: true, allow_forward_slash: false)
+  def sanitize_params(param_list, require_params: true, allow_forward_slash: false, allow_parent_dir: false)
     if require_params
       result = params.require(param_list)
     else
@@ -89,6 +89,9 @@ def sanitize_params(param_list, require_params: true, allow_forward_slash: false
         else
           value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-")
         end
+        if not allow_parent_dir
+          value = value.gsub(/(\.|%2e){2}/i, "-")
+        end
         if value != arg
           render json: { status: 'error', message: "Invalid #{param_list[index]}: #{arg}" }, status: 400
           return false