From a720d1e2d638782f07af7eccb7af4dfefee07a32 Mon Sep 17 00:00:00 2001 From: Shelikhoo Date: Wed, 5 May 2021 11:25:50 +0100 Subject: [PATCH] show warning for asset directory transversal to prepare for network api based reload in v5 --- common/platform/errors.generated.go | 9 +++++++++ common/platform/others.go | 5 +++++ common/platform/platform.go | 2 ++ common/platform/windows.go | 6 +++++- 4 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 common/platform/errors.generated.go diff --git a/common/platform/errors.generated.go b/common/platform/errors.generated.go new file mode 100644 index 000000000..c3ad350b1 --- /dev/null +++ b/common/platform/errors.generated.go @@ -0,0 +1,9 @@ +package platform + +import "github.com/v2fly/v2ray-core/v4/common/errors" + +type errPathObjHolder struct{} + +func newError(values ...interface{}) *errors.Error { + return errors.New(values...).WithPathObj(errPathObjHolder{}) +} diff --git a/common/platform/others.go b/common/platform/others.go index a2f92c714..934a5b336 100644 --- a/common/platform/others.go +++ b/common/platform/others.go @@ -7,6 +7,7 @@ import ( "io/fs" "os" "path/filepath" + "strings" ) func ExpandEnv(s string) string { @@ -25,6 +26,10 @@ func GetToolLocation(file string) string { // GetAssetLocation search for `file` in certain locations func GetAssetLocation(file string) string { + filepathCleaned := filepath.Clean(file) + if strings.HasPrefix("..", filepathCleaned) { + newError("directory transversal is not allowed for assets. This will be forbidden in v5.").AtWarning().WriteToLog() + } const name = "v2ray.location.asset" assetPath := NewEnvFlag(name).GetValue(getExecutableDir) defPath := filepath.Join(assetPath, file) diff --git a/common/platform/platform.go b/common/platform/platform.go index 845782b00..b1aa0f1ad 100644 --- a/common/platform/platform.go +++ b/common/platform/platform.go @@ -7,6 +7,8 @@ import ( "strings" ) +//go:generate go run github.com/v2fly/v2ray-core/v4/common/errors/errorgen + type EnvFlag struct { Name string AltName string diff --git a/common/platform/windows.go b/common/platform/windows.go index 454a24063..1296f3261 100644 --- a/common/platform/windows.go +++ b/common/platform/windows.go @@ -19,8 +19,12 @@ func GetToolLocation(file string) string { return filepath.Join(toolPath, file+".exe") } -// GetAssetLocation search for `file` in the excutable dir +// GetAssetLocation search for `file` in the executable dir func GetAssetLocation(file string) string { + filepathCleaned := filepath.Clean(file) + if strings.HasPrefix("..", filepathCleaned) { + newError("directory transversal is not allowed for assets. This will be forbidden in v5.").AtWarning().WriteToLog() + } const name = "v2ray.location.asset" assetPath := NewEnvFlag(name).GetValue(getExecutableDir) return filepath.Join(assetPath, file)