From 583222087aae4627d15d7b2ca7d973cb8eae48a6 Mon Sep 17 00:00:00 2001 From: Aleksei Volkov Date: Sun, 15 Oct 2023 23:30:48 +0300 Subject: [PATCH] [ fix ] Prevent relative path traversal in elaborator scripts --- src/TTImp/Elab/RunElab.idr | 1 + tests/idris2/reflection/reflection024/src/LessSimpleRW.idr | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/src/TTImp/Elab/RunElab.idr b/src/TTImp/Elab/RunElab.idr index 4158990107..05b33be196 100644 --- a/src/TTImp/Elab/RunElab.idr +++ b/src/TTImp/Elab/RunElab.idr @@ -129,6 +129,7 @@ elabScript rig fc nest env script@(NDCon nfc nm t ar args) exp pathDoesNotEscape _ [] = True pathDoesNotEscape Z (".."::rest) = False pathDoesNotEscape (S n) (".."::rest) = pathDoesNotEscape n rest + pathDoesNotEscape n ("." ::rest) = pathDoesNotEscape n rest pathDoesNotEscape n (_ ::rest) = pathDoesNotEscape (S n) rest elabCon : Defs -> String -> List (Closure vars) -> Core (NF vars) diff --git a/tests/idris2/reflection/reflection024/src/LessSimpleRW.idr b/tests/idris2/reflection/reflection024/src/LessSimpleRW.idr index bb6336deb8..1543918fa0 100644 --- a/tests/idris2/reflection/reflection024/src/LessSimpleRW.idr +++ b/tests/idris2/reflection/reflection024/src/LessSimpleRW.idr @@ -35,3 +35,8 @@ failing "path must not escape the directory" -- Check a slightly more complicated case of escaping %runElab readAndLog "nonExistentOriginally/../../whatever" + +failing "path must not escape the directory" + + -- Check that '.' does not allow escaping + %runElab readAndLog "./../whatever"