RPC: Improve snapshot path sanitization (bp #15456) (#15457)

Co-authored-by: Michael Vines <mvines@gmail.com>
2021-02-22 19:35:49 +00:00
parent 8b80628b38
commit f254bf85eb
1 changed files with 4 additions and 1 deletions
--- a/core/src/rpc_service.rs
+++ b/core/src/rpc_service.rs
@ -65,7 +65,7 @@ impl RpcRequestMiddleware {
        Self {
            ledger_path,
            snapshot_archive_path_regex: Regex::new(
-                r"/snapshot-\d+-[[:alnum:]]+\.(tar|tar\.bz2|tar\.zst|tar\.gz)$",
+                r"^/snapshot-\d+-[[:alnum:]]+\.(tar|tar\.bz2|tar\.zst|tar\.gz)$",
            )
            .unwrap(),
            snapshot_config,
@ -579,6 +579,9 @@ mod tests {
        assert!(rrm_with_snapshot_config.is_file_get_path(
            "/snapshot-100-AvFf9oS8A8U78HdjT9YG2sTTThLHJZmhaMn2g8vkWYnr.tar.zst"
        ));
+        assert!(!rrm_with_snapshot_config.is_file_get_path(
+            "../snapshot-100-AvFf9oS8A8U78HdjT9YG2sTTThLHJZmhaMn2g8vkWYnr.tar.zst"
+        ));
        assert!(rrm_with_snapshot_config
            .is_file_get_path("/snapshot-100-AvFf9oS8A8U78HdjT9YG2sTTThLHJZmhaMn2g8vkWYnr.tar.gz"));
        assert!(rrm_with_snapshot_config