From a720d1e2d638782f07af7eccb7af4dfefee07a32 Mon Sep 17 00:00:00 2001
From: Shelikhoo <xiaokangwang@outlook.com>
Date: Wed, 5 May 2021 11:25:50 +0100
Subject: [PATCH] show warning for asset directory transversal to prepare for
 network api based reload in v5

---
 common/platform/errors.generated.go | 9 +++++++++
 common/platform/others.go           | 5 +++++
 common/platform/platform.go         | 2 ++
 common/platform/windows.go          | 6 +++++-
 4 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 common/platform/errors.generated.go

diff --git a/common/platform/errors.generated.go b/common/platform/errors.generated.go
new file mode 100644
index 000000000..c3ad350b1
--- /dev/null
+++ b/common/platform/errors.generated.go
@@ -0,0 +1,9 @@
+package platform
+
+import "github.com/v2fly/v2ray-core/v4/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}
diff --git a/common/platform/others.go b/common/platform/others.go
index a2f92c714..934a5b336 100644
--- a/common/platform/others.go
+++ b/common/platform/others.go
@@ -7,6 +7,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 func ExpandEnv(s string) string {
@@ -25,6 +26,10 @@ func GetToolLocation(file string) string {
 
 // GetAssetLocation search for `file` in certain locations
 func GetAssetLocation(file string) string {
+	filepathCleaned := filepath.Clean(file)
+	if strings.HasPrefix("..", filepathCleaned) {
+		newError("directory transversal is not allowed for assets. This will be forbidden in v5.").AtWarning().WriteToLog()
+	}
 	const name = "v2ray.location.asset"
 	assetPath := NewEnvFlag(name).GetValue(getExecutableDir)
 	defPath := filepath.Join(assetPath, file)
diff --git a/common/platform/platform.go b/common/platform/platform.go
index 845782b00..b1aa0f1ad 100644
--- a/common/platform/platform.go
+++ b/common/platform/platform.go
@@ -7,6 +7,8 @@ import (
 	"strings"
 )
 
+//go:generate go run github.com/v2fly/v2ray-core/v4/common/errors/errorgen
+
 type EnvFlag struct {
 	Name    string
 	AltName string
diff --git a/common/platform/windows.go b/common/platform/windows.go
index 454a24063..1296f3261 100644
--- a/common/platform/windows.go
+++ b/common/platform/windows.go
@@ -19,8 +19,12 @@ func GetToolLocation(file string) string {
 	return filepath.Join(toolPath, file+".exe")
 }
 
-// GetAssetLocation search for `file` in the excutable dir
+// GetAssetLocation search for `file` in the executable dir
 func GetAssetLocation(file string) string {
+	filepathCleaned := filepath.Clean(file)
+	if strings.HasPrefix("..", filepathCleaned) {
+		newError("directory transversal is not allowed for assets. This will be forbidden in v5.").AtWarning().WriteToLog()
+	}
 	const name = "v2ray.location.asset"
 	assetPath := NewEnvFlag(name).GetValue(getExecutableDir)
 	return filepath.Join(assetPath, file)