IWritableDirProvider does not allow access to parent directories.

Fixes #1229 Added tests.
2026-02-15 03:30:53 +01:00 · 2020-08-16 01:32:19 +02:00
parent 1934428c95
commit 1e89c5f1fd
2 changed files with 59 additions and 2 deletions
--- a/Robust.Shared/ContentPack/WritableDirProvider.cs
+++ b/Robust.Shared/ContentPack/WritableDirProvider.cs
@@ -1,6 +1,5 @@
 using System.Collections.Generic;
 using System.IO;
-using System.Text;
 using Robust.Shared.Interfaces.Resources;
 using Robust.Shared.Utility;

@@ -107,7 +106,7 @@ namespace Robust.Shared.ContentPack

        private static string GetFullPath(string root, ResourcePath path)
        {
-            var relPath = path.Clean().ToRelativePath().ToString();
+            var relPath = path.ToRootedPath().Clean().ToRelativeSystemPath();
            return Path.GetFullPath(Path.Combine(root, relPath));
        }
    }
--- a/Robust.UnitTesting/Shared/Resources/WritableDirProviderTest.cs
+++ b/Robust.UnitTesting/Shared/Resources/WritableDirProviderTest.cs
@@ -0,0 +1,58 @@
+using System;
+using System.IO;
+using NUnit.Framework;
+using Robust.Shared.ContentPack;
+using Robust.Shared.Interfaces.Resources;
+using Robust.Shared.Utility;
+
+namespace Robust.UnitTesting.Shared.Resources
+{
+    [TestFixture]
+    [TestOf(typeof(WritableDirProvider))]
+    public class WritableDirProviderTest
+    {
+        private string _testDirPath = default!;
+        private DirectoryInfo _testDir = default!;
+        private WritableDirProvider _dirProvider = default!;
+
+        [OneTimeSetUp]
+        public void Setup()
+        {
+            var tmpPath = Path.GetTempPath();
+            var guid = Guid.NewGuid();
+            _testDirPath = Path.Combine(tmpPath, guid.ToString());
+
+            _testDir = Directory.CreateDirectory(_testDirPath);
+            var subDir = Path.Combine(_testDirPath, "writable");
+
+            _dirProvider = new WritableDirProvider(Directory.CreateDirectory(subDir));
+        }
+
+        [OneTimeTearDown]
+        public void TearDown()
+        {
+            _testDir.Delete(true);
+        }
+
+        [Test]
+        public void TestNoParentAccess()
+        {
+            File.WriteAllText(Path.Combine(_testDirPath, "dummy"), "foobar");
+
+            // No, ../ does not work to read stuff in the parent dir.
+            Assert.That(() => _dirProvider.ReadAllText(new ResourcePath("../dummy")),
+                Throws.InstanceOf<FileNotFoundException>());
+        }
+
+        [Test]
+        public void TestParentAccessClamped()
+        {
+            File.WriteAllText(Path.Combine(_testDirPath, "dummy"), "foobar");
+
+            _dirProvider.WriteAllText(new ResourcePath("dummy"), "pranked");
+
+            // ../ should get clamped to /.
+            Assert.That(_dirProvider.ReadAllText(new ResourcePath("../dummy")), Is.EqualTo("pranked"));
+        }
+    }
+}