Fix: potential vulnerability in http provider (#2680)

2023-04-16 20:14:36 +08:00 · 2023-04-16 20:14:36 +08:00 · df61a586c9
commit df61a586c9
parent 8e05fbfd6d
2 changed files with 20 additions and 1 deletions
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@ -10,7 +10,10 @@ import (
 	types "github.com/Dreamacro/clash/constant/provider"
 )

-var errVehicleType = errors.New("unsupport vehicle type")
+var (
+	errVehicleType = errors.New("unsupport vehicle type")
+	errSubPath     = errors.New("path is not subpath of home directory")
+)

 type healthCheckSchema struct {
 	Enable   bool   `provider:"enable"`
@ -53,6 +56,9 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	case "file":
 		vehicle = NewFileVehicle(path)
 	case "http":
+		if !C.Path.IsSubPath(path) {
+			return nil, fmt.Errorf("%w: %s", errSubPath, path)
+		}
 		vehicle = NewHTTPVehicle(schema.URL, path)
 	default:
 		return nil, fmt.Errorf("%w: %s", errVehicleType, schema.Type)
--- a/constant/path.go
+++ b/constant/path.go
@ -4,6 +4,7 @@ import (
 	"os"
 	P "path"
 	"path/filepath"
+	"strings"
 )

 const Name = "clash"
@ -51,6 +52,18 @@ func (p *path) Resolve(path string) string {
 	return path
 }

+// IsSubPath return true if path is a subpath of homedir
+func (p *path) IsSubPath(path string) bool {
+	homedir := p.HomeDir()
+	path = p.Resolve(path)
+	rel, err := filepath.Rel(homedir, path)
+	if err != nil {
+		return false
+	}
+
+	return !strings.Contains(rel, "..")
+}
+
 func (p *path) MMDB() string {
 	return P.Join(p.homeDir, "Country.mmdb")
 }