AkkomaGang/akkoma
AkkomaGang
/
akkoma
12
63
Fork 83
Code Issues 165 Pull Requests 13 Packages Projects 2 Releases 13 Wiki Activity

Resolve information disclosure vulnerability through emoji pack archive download endpoint
ci/woodpecker/push/test Pipeline was successful Details
ci/woodpecker/push/build-arm64 Pipeline was successful Details
ci/woodpecker/push/build-amd64 Pipeline was successful Details
ci/woodpecker/push/docs Pipeline was successful Details

This commit is contained in:
Mark Felder 2023-08-04 11:34:19 +01:00 committed by FloatingGhost
parent babb4b9a8f
commit 7e45343f81
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/pleroma/emoji/pack.ex
View File

@ -287,6 +287,7 @@ defmodule Pleroma.Emoji.Pack do
@spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
def load_pack(name) do
name = Path.basename(name)
pack_file = Path.join([emoji_path(), name, "pack.json"])
with {:ok, _} <- File.stat(pack_file),

4
test/pleroma/emoji/pack_test.exs
View File

@ -90,4 +90,8 @@ defmodule Pleroma.Emoji.PackTest do
assert updated_pack.files_count == 1
end
test "load_pack/1 ignores path traversal in a forged pack name", %{pack: pack} do
assert {:ok, ^pack} = Pack.load_pack("../../../../../dump_pack")
end
end