Skip to content

Disallow parent dir path in sanitize_params#1828

Merged
ryan-pratt merged 1 commit into
mainfrom
bug/sanitize-params-parent-dir
Jan 15, 2025
Merged

Disallow parent dir path in sanitize_params#1828
ryan-pratt merged 1 commit into
mainfrom
bug/sanitize-params-parent-dir

Conversation

@ryan-pratt

@ryan-pratt ryan-pratt commented Jan 14, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Patches the following CVEs:

@ryan-pratt ryan-pratt requested a review from ryanmelt January 14, 2025 18:13
@sonarqubecloud

sonarqubecloud Bot commented Jan 14, 2025

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
100.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov

codecov Bot commented Jan 14, 2025
edited
Loading

Copy link
Copy Markdown

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.58%. Comparing base (e319cdb) to head (fc7e113).
Report is 16 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1828      +/-   ##
==========================================
+ Coverage   79.56%   79.58%   +0.01%     
==========================================
  Files         517      517              
  Lines       40739    40743       +4     
==========================================
+ Hits        32414    32425      +11     
+ Misses       8325     8318       -7
Flag Coverage Δ
python 84.30% <ø> (+0.04%) ⬆️
ruby-api 48.69% <100.00%> (+0.04%) ⬆️
ruby-backend 82.61% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

jmthomas
jmthomas approved these changes Jan 15, 2025
View reviewed changes
Comment thread openc3-cosmos-script-runner-api/app/controllers/application_controller.rb
value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-")
end
if not allow_parent_dir
value = value.gsub(/(\.|%2e){2}/i, "-")

@jmthomas jmthomas Jan 15, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to replace with - vs just remove completely?

@ryan-pratt ryan-pratt Jan 15, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No particular reason, just matching the tr() above

@ryan-pratt ryan-pratt merged commit 2fcef55 into main Jan 15, 2025
@ryan-pratt ryan-pratt deleted the bug/sanitize-params-parent-dir branch January 15, 2025 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmthomas jmthomas jmthomas approved these changes

@ryanmelt ryanmelt Awaiting requested review from ryanmelt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryan-pratt @jmthomas