show warning for asset directory transversal to prepare for network api based reload in v5

common/platform/errors.generated.go

@@ -0,0 +1,9 @@
+package platform
+
+import "github.com/v2fly/v2ray-core/v4/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}

common/platform/others.go

@@ -7,6 +7,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 func ExpandEnv(s string) string {
@@ -25,6 +26,10 @@ func GetToolLocation(file string) string {
 
 // GetAssetLocation search for `file` in certain locations
 func GetAssetLocation(file string) string {
+	filepathCleaned := filepath.Clean(file)
+	if strings.HasPrefix("..", filepathCleaned) {
+		newError("directory transversal is not allowed for assets. This will be forbidden in v5.").AtWarning().WriteToLog()
+	}
 	const name = "v2ray.location.asset"
 	assetPath := NewEnvFlag(name).GetValue(getExecutableDir)
 	defPath := filepath.Join(assetPath, file)

common/platform/platform.go

@@ -7,6 +7,8 @@ import (
 	"strings"
 )
 
+//go:generate go run github.com/v2fly/v2ray-core/v4/common/errors/errorgen
+
 type EnvFlag struct {
 	Name    string
 	AltName string

common/platform/windows.go

@@ -19,8 +19,12 @@ func GetToolLocation(file string) string {
 	return filepath.Join(toolPath, file+".exe")
 }
 
-// GetAssetLocation search for `file` in the excutable dir
+// GetAssetLocation search for `file` in the executable dir
 func GetAssetLocation(file string) string {
+	filepathCleaned := filepath.Clean(file)
+	if strings.HasPrefix("..", filepathCleaned) {
+		newError("directory transversal is not allowed for assets. This will be forbidden in v5.").AtWarning().WriteToLog()
+	}
 	const name = "v2ray.location.asset"
 	assetPath := NewEnvFlag(name).GetValue(getExecutableDir)
 	return filepath.Join(assetPath, file)