Added new wwwroot_get_simplified_abs_path() helper to FileCache. Also…

… improved the other path helper methods.
Relintai · Mar 10, 2024 · 6addb02 · 6addb02
1 parent b96205f
commit 6addb02
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 1 deletion.
diff --git a/modules/web/file_cache.cpp b/modules/web/file_cache.cpp
@@ -69,6 +69,13 @@ bool FileCache::wwwroot_has_file(const String &file_path) {
 
 	String fp = _wwwroot_abs + file_path;
 
+	fp = fp.simplify_path();
+
+	// Don't allow going outside wwwroot
+	if (!fp.begins_with(_wwwroot_abs)) {
+		return false;
+	}
+
 	if (!FileAccess::exists(fp)) {
 		return false;
 	}
@@ -92,7 +99,7 @@ bool FileCache::wwwroot_has_file(const String &file_path) {
 	String absp = f->get_path_absolute();
 	memdelete(f);
 
-	//likely a directory walking attempt. e.g. ../../../../../etc/passwd
+	// likely a directory walking attempt. e.g. ../../../../../etc/passwd
 	if (!absp.begins_with(_wwwroot_abs)) {
 		return false;
 	}
@@ -107,6 +114,13 @@ String FileCache::wwwroot_get_file_abspath(const String &file_path) {
 
 	String fp = _wwwroot_abs + file_path;
 
+	fp = fp.simplify_path();
+
+	// Don't allow going outside wwwroot
+	if (!fp.begins_with(_wwwroot_abs)) {
+		return String();
+	}
+
 	if (!FileAccess::exists(fp)) {
 		return String();
 	}
@@ -138,6 +152,19 @@ String FileCache::wwwroot_get_file_abspath(const String &file_path) {
 	return absp;
 }
 
+String FileCache::wwwroot_get_simplified_abs_path(const String &file_path) {
+	String fp = _wwwroot_abs + file_path;
+
+	fp = fp.simplify_path();
+
+	// Don't allow going outside wwwroot
+	if (!fp.begins_with(_wwwroot_abs)) {
+		return String();
+	}
+
+	return fp;
+}
+
 bool FileCache::get_cached_body(const String &path, String *body) {
 	//TODO ERROR MACRO body == null
 
@@ -264,6 +291,8 @@ void FileCache::_bind_methods() {
 	ClassDB::bind_method(D_METHOD("wwwroot_has_file", "file_path"), &FileCache::wwwroot_has_file);
 	ClassDB::bind_method(D_METHOD("wwwroot_get_file_abspath", "file_path"), &FileCache::wwwroot_get_file_abspath);
 
+	ClassDB::bind_method(D_METHOD("wwwroot_get_simplified_abs_path", "file_path"), &FileCache::wwwroot_get_simplified_abs_path);
+
 	ClassDB::bind_method(D_METHOD("get_cached_body", "path"), &FileCache::get_cached_body_bind);
 	ClassDB::bind_method(D_METHOD("has_cached_body", "path"), &FileCache::has_cached_body);
 	ClassDB::bind_method(D_METHOD("set_cached_body", "path", "body"), &FileCache::set_cached_body);

diff --git a/modules/web/file_cache.h b/modules/web/file_cache.h
@@ -57,6 +57,8 @@ class FileCache : public Reference {
 	//e.g. http://127.0.0.1/a/b/d.jpg -> /a/b/d.jpg
 	bool wwwroot_has_file(const String &file_path);
 	String wwwroot_get_file_abspath(const String &file_path);
+
+	String wwwroot_get_simplified_abs_path(const String &file_path);
 
 	bool get_cached_body(const String &path, String *body);
 	bool has_cached_body(const String &path);