Disallow relative paths that start with ../

Fixes a potential arbitrary file read vulnerability in yard server. Thanks to ztz <ztz@ztz.me> for discovery of this security issue.
lsegal · Nov 23, 2017 · b0217b3 · b0217b3
1 parent bd56c5d
commit b0217b3
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/lib/yard/core_ext/file.rb b/lib/yard/core_ext/file.rb
@@ -40,6 +40,8 @@ def self.cleanpath(path)
       if comp == RELATIVE_PARENTDIR && !acc.empty? && acc.last != RELATIVE_PARENTDIR
         acc.pop
         next acc
+      elsif comp == RELATIVE_PARENTDIR && acc.empty?
+        next acc
       end
       acc << comp
     end

diff --git a/spec/core_ext/file_spec.rb b/spec/core_ext/file_spec.rb
@@ -41,12 +41,12 @@
       expect(File.cleanpath('A/B/C/D/..')).to eq "A/B/C"
     end
 
-    it "passes the initial directory" do
-      expect(File.cleanpath('C/../../D')).to eq "../D"
+    it "does not allow relative path above root" do
+      expect(File.cleanpath('A/../../../../../D')).to eq "D"
     end
 
     it "does not remove multiple '../' at the beginning" do
-      expect(File.cleanpath('../../A/B')).to eq '../../A/B'
+      expect(File.cleanpath('../../A/B')).to eq 'A/B'
     end
   end