Resolve information disclosure vulnerability through emoji pack archive download endpoint

2024-11-17 18:49:15 +00:00 · 2023-08-04 11:34:19 +01:00 · 2023-08-04 11:34:19 +01:00 · 7e45343f81
parent babb4b9a8f
commit 7e45343f81
2 changed files with 5 additions and 0 deletions
--- a/lib/pleroma/emoji/pack.ex
+++ b/lib/pleroma/emoji/pack.ex
@ -287,6 +287,7 @@ def update_metadata(name, data) do

  @spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
  def load_pack(name) do
+    name = Path.basename(name)
    pack_file = Path.join([emoji_path(), name, "pack.json"])

    with {:ok, _} <- File.stat(pack_file),
--- a/test/pleroma/emoji/pack_test.exs
+++ b/test/pleroma/emoji/pack_test.exs
@ -90,4 +90,8 @@ test "add emoji file", %{pack: pack} do

    assert updated_pack.files_count == 1
  end
+
+  test "load_pack/1 ignores path traversal in a forged pack name", %{pack: pack} do
+    assert {:ok, ^pack} = Pack.load_pack("../../../../../dump_pack")
+  end
 end