Merge pull request #319 from hindessm/restrict-library-entry-names

Prohibit library entry names from containing '../'.
2025-03-01 10:36:34 +00:00 · 2014-07-31 17:24:57 +01:00
parent a170623b4c b7428ab627
commit b8f40d4e39
4 changed files with 85 additions and 8 deletions
--- a/red/library.js
+++ b/red/library.js
@@ -34,6 +34,10 @@ function init() {
                    res.send(204);
                }).otherwise(function(err) {
                    util.log("[red] Error loading flow '"+req.params[0]+"' : "+err);
+                    if (err.message.indexOf('forbidden') === 0) {
+                        res.send(403);
+                        return;
+                    }
                    res.send(500);
                });
            });
@@ -52,6 +56,10 @@ function init() {
            }).otherwise(function(err) {
                if (err) {
                    util.log("[red] Error loading flow '"+req.params[0]+"' : "+err);
+                    if (err.message.indexOf('forbidden') === 0) {
+                        res.send(403);
+                        return;
+                    }
                }
                res.send(404);
            });
@@ -75,6 +83,10 @@ function createLibrary(type) {
            }).otherwise(function(err) {
                if (err) {
                    util.log("[red] Error loading library entry '"+path+"' : "+err);
+                    if (err.message.indexOf('forbidden') === 0) {
+                        res.send(403);
+                        return;
+                    }
                }
                res.send(404);
            });
@@ -91,6 +103,10 @@ function createLibrary(type) {
                        res.send(204);
                    }).otherwise(function(err) {
                        util.log("[red] Error saving library entry '"+path+"' : "+err);
+                        if (err.message.indexOf('forbidden') === 0) {
+                            res.send(403);
+                            return;
+                        }
                        res.send(500);
                    });
            });
--- a/red/storage/index.js
+++ b/red/storage/index.js
@@ -33,6 +33,10 @@ function moduleSelector(aSettings) {
    return toReturn;
 }

+function is_malicious(path) {
+    return path.indexOf('../') != -1 || path.indexOf('..\\') != -1;
+}
+
 var storageModuleInterface = {
        init : function(settings) {
            try {
@@ -58,15 +62,27 @@ var storageModuleInterface = {
            return storageModule.getAllFlows();
        },
        getFlow : function(fn) {
+            if (is_malicious(fn)) {
+                return when.reject(new Error('forbidden flow name'));
+            }
            return storageModule.getFlow(fn);
        },
        saveFlow : function(fn, data) {
+            if (is_malicious(fn)) {
+                return when.reject(new Error('forbidden flow name'));
+            }
            return storageModule.saveFlow(fn, data);
        },
        getLibraryEntry : function(type, path) {
+            if (is_malicious(path)) {
+                return when.reject(new Error('forbidden flow name'));
+            }
            return storageModule.getLibraryEntry(type, path);
        },
        saveLibraryEntry : function(type, path, meta, body) {
+            if (is_malicious(path)) {
+                return when.reject(new Error('forbidden flow name'));
+            }
            return storageModule.saveLibraryEntry(type, path, meta, body);
        }
 }