Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent URI path traversals when downloading files #4

Open
smaury opened this issue Jan 24, 2023 · 2 comments
Open

Prevent URI path traversals when downloading files #4

smaury opened this issue Jan 24, 2023 · 2 comments
Labels
bug Something isn't working security Potential and confirmed security issues

Comments

@smaury
Copy link
Collaborator

smaury commented Jan 24, 2023

As file IDs are part of encrypted messages, a malicious submitter could set as file ID an arbitrary value, which is then used to create the relative URL to fetch it.
If the malicious submitter sets as file ID ../path/to/another/API?junk= could force the victim's client to perform a GET request to an arbitrary API (i.e. https://secure....onion/path/to/another/API?junk=<junk>).
@smaury
Copy link
Collaborator Author

smaury commented Jan 24, 2023

I guess implementing something like this at the beginning of the get_file function should be enough:

from re import match
if not match("[0-9a-f]{32}", file_id):
    return false

@lsd-cat
Copy link
Member

lsd-cat commented Jan 25, 2023

That's a great catch, thank you!

@eaon eaon mentioned this issue Feb 17, 2023
Open
@lsd-cat lsd-cat added security Potential and confirmed security issues bug Something isn't working labels Dec 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working security Potential and confirmed security issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@smaury @lsd-cat