Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

By pass security check: do not allow ../ in path #5250

Closed
novysodope opened this issue Jul 26, 2023 · 1 comment · Fixed by #5251
Closed

By pass security check: do not allow ../ in path #5250

novysodope opened this issue Jul 26, 2023 · 1 comment · Fixed by #5251
Labels
enhancement New feature or request

Comments

@novysodope
Copy link

novysodope commented Jul 26, 2023
edited
Loading

Check

  • I have already read Docs page
  • I have already searched existing issues

Feature Request

When browsing the project code, I found a vulnerability fix for arbitrary file reading:

security check: do not allow ../ in path

After a brief thought, I found that this safety check is incomplete,that is to say, I can bypass here

In windows, I can use ..\ bypass:

{% include_code ..\..\..\..\..\..\..\..\..\..\..\test.txt %}

image

The Linux file system does not support reading backslashes, theoretically it can be read through ..\/..\/..\/..\/..\/etc/passwd,but I did not verify successfully on Linux. This operation was only verified successfully in the Windows environment.

So my suggestion is not only to do not allow ../ in path, also to do not allow ..\ in path, or change ../ to .. , file
@stevenjoezhang
Copy link
Member

I agree that include_code should only encompass files within the Hexo workspace. Otherwise, malicious attackers might manipulate users into revealing sensitive files from the disk through relative paths.

@stevenjoezhang stevenjoezhang mentioned this issue Jul 26, 2023
Merged
2 tasks
@stevenjoezhang stevenjoezhang linked a pull request Jul 27, 2023 that will close this issue
fix(tag/include_code): prevent path traversal #5251
Merged
2 tasks
@uiolee uiolee added the enhancement New feature or request label Sep 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(tag/include_code): prevent path traversal hexojs/hexo
3 participants
@stevenjoezhang @uiolee @novysodope