From f254bf85eb6dc945ced2cdc5fd73ec9fb1abf5a5 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Mon, 22 Feb 2021 19:35:49 +0000
Subject: [PATCH] RPC: Improve snapshot path sanitization (bp #15456) (#15457)

Co-authored-by: Michael Vines <mvines@gmail.com>
---
 core/src/rpc_service.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/src/rpc_service.rs b/core/src/rpc_service.rs
index 3183ef22da..6f631ecf2a 100644
--- a/core/src/rpc_service.rs
+++ b/core/src/rpc_service.rs
@@ -65,7 +65,7 @@ impl RpcRequestMiddleware {
         Self {
             ledger_path,
             snapshot_archive_path_regex: Regex::new(
-                r"/snapshot-\d+-[[:alnum:]]+\.(tar|tar\.bz2|tar\.zst|tar\.gz)$",
+                r"^/snapshot-\d+-[[:alnum:]]+\.(tar|tar\.bz2|tar\.zst|tar\.gz)$",
             )
             .unwrap(),
             snapshot_config,
@@ -579,6 +579,9 @@ mod tests {
         assert!(rrm_with_snapshot_config.is_file_get_path(
             "/snapshot-100-AvFf9oS8A8U78HdjT9YG2sTTThLHJZmhaMn2g8vkWYnr.tar.zst"
         ));
+        assert!(!rrm_with_snapshot_config.is_file_get_path(
+            "../snapshot-100-AvFf9oS8A8U78HdjT9YG2sTTThLHJZmhaMn2g8vkWYnr.tar.zst"
+        ));
         assert!(rrm_with_snapshot_config
             .is_file_get_path("/snapshot-100-AvFf9oS8A8U78HdjT9YG2sTTThLHJZmhaMn2g8vkWYnr.tar.gz"));
         assert!(rrm_with_snapshot_config