Prevent directory traversal attacks

2025-05-15 14:12:27 +00:00 · 2022-09-22 17:11:17 -05:00 · 2022-09-22 17:11:17 -05:00 · 2cf2e6622a
commit 2cf2e6622a
parent b26d96bacd
3 changed files with 20 additions and 9 deletions
--- a/ProjectLighthouse.Servers.GameServer/Controllers/Resources/ResourcesController.cs
+++ b/ProjectLighthouse.Servers.GameServer/Controllers/Resources/ResourcesController.cs
@ -56,6 +56,12 @@ public class ResourcesController : ControllerBase

        string path = FileHelper.GetResourcePath(hash);

+        string fullPath = Path.GetFullPath(path);
+        string basePath = Path.GetFullPath(FileHelper.ResourcePath);
+
+        // Prevent directory traversal attacks
+        if (!fullPath.StartsWith(basePath)) return this.BadRequest();
+
        if (FileHelper.ResourceExists(hash)) return this.File(IOFile.OpenRead(path), "application/octet-stream");

        return this.NotFound();
--- a/ProjectLighthouse.Servers.Website/Controllers/ResourcesController.cs
+++ b/ProjectLighthouse.Servers.Website/Controllers/ResourcesController.cs
@ -11,18 +11,19 @@ public class ResourcesController : ControllerBase
    [HttpGet("/gameAssets/{hash}")]
    public IActionResult GetGameImage(string hash)
    {
-        string path = Path.Combine("png", $"{hash}.png");
+        string path = FileHelper.GetImagePath($"{hash}.png");

-        if (IOFile.Exists(path))
-        {
-            return this.File(IOFile.OpenRead(path), "image/png");
-        }
+        string fullPath = Path.GetFullPath(path);
+        string basePath = Path.GetFullPath(FileHelper.ImagePath);
+
+        // Prevent directory traversal attacks
+        if (!fullPath.StartsWith(basePath)) return this.BadRequest();
+
+        if (IOFile.Exists(path)) return this.File(IOFile.OpenRead(path), "image/png");

        LbpFile? file = LbpFile.FromHash(hash);
-        if (file != null && FileHelper.LbpFileToPNG(file))
-        {
-            return this.File(IOFile.OpenRead(path), "image/png");
-        }
+        if (file != null && FileHelper.LbpFileToPNG(file)) return this.File(IOFile.OpenRead(path), "image/png");
+
        return this.NotFound();
    }
 }
--- a/ProjectLighthouse/Files/FileHelper.cs
+++ b/ProjectLighthouse/Files/FileHelper.cs
@ -24,8 +24,12 @@ public static class FileHelper
 {
    public static readonly string ResourcePath = Path.Combine(Environment.CurrentDirectory, "r");

+    public static readonly string ImagePath = Path.Combine(Environment.CurrentDirectory, "png");
+
    public static string GetResourcePath(string hash) => Path.Combine(ResourcePath, hash);

+    public static string GetImagePath(string hash) => Path.Combine(ImagePath, hash);
+
    public static bool AreDependenciesSafe(LbpFile file)
    {
        // recursively check if dependencies are safe