From 6193fcd51ef14bb1484e66d33ec2781a997afcd2 Mon Sep 17 00:00:00 2001 From: yann300 Date: Tue, 2 Mar 2021 11:47:28 +0100 Subject: [PATCH] forbids plugin to access root file system --- apps/remix-ide/src/app/files/fileManager.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/apps/remix-ide/src/app/files/fileManager.js b/apps/remix-ide/src/app/files/fileManager.js index 6f971f3331..72ac2972a0 100644 --- a/apps/remix-ide/src/app/files/fileManager.js +++ b/apps/remix-ide/src/app/files/fileManager.js @@ -57,6 +57,12 @@ class FileManager extends Plugin { this.mode = mode } + limitPluginScope (path) { + if (!this.currentRequest) return path // no plugin request, path shall not be modified. + if (this.appManager.isRequired(this.currentRequest.from)) return path // caller is a service plugin, path shall not be modified + return path.replace(/^\/browser\//, '').replace(/^browser\//, '') // forbids plugin to access the root filesystem + } + /** * Emit error if path doesn't exist * @param {string} path path of the file/directory @@ -110,6 +116,7 @@ class FileManager extends Plugin { * @returns {boolean} true if the path exists */ exists (path) { + path = this.limitPluginScope(path) const provider = this.fileProviderOf(path) const result = provider.exists(path, (err, result) => { if (err) return false @@ -149,6 +156,7 @@ class FileManager extends Plugin { * @returns {void} */ async open (path) { + path = this.limitPluginScope(path) await this._handleExists(path, `Cannot open file ${path}`) await this._handleIsFile(path, `Cannot open file ${path}`) return this.openFile(path) @@ -161,6 +169,7 @@ class FileManager extends Plugin { * @returns {void} */ async writeFile (path, data) { + path = this.limitPluginScope(path) if (await this.exists(path)) { await this._handleIsFile(path, `Cannot write file ${path}`) return await this.setFileContent(path, data) @@ -177,6 +186,7 @@ class FileManager extends Plugin { * @returns {string} content of the file */ async readFile (path) { + path = this.limitPluginScope(path) await this._handleExists(path, `Cannot read file ${path}`) await this._handleIsFile(path, `Cannot read file ${path}`) return this.getFileContent(path) @@ -189,6 +199,8 @@ class FileManager extends Plugin { * @returns {void} */ async copyFile (src, dest) { + src = this.limitPluginScope(src) + dest = this.limitPluginScope(dest) await this._handleExists(src, `Cannot copy from ${src}`) await this._handleIsFile(src, `Cannot copy from ${src}`) await this._handleIsFile(dest, `Cannot paste content into ${dest}`) @@ -204,6 +216,8 @@ class FileManager extends Plugin { * @returns {void} */ async rename (oldPath, newPath) { + oldPath = this.limitPluginScope(oldPath) + newPath = this.limitPluginScope(newPath) await this._handleExists(oldPath, `Cannot rename ${oldPath}`) const isFile = await this.isFile(oldPath) const newPathExists = await this.exists(newPath) @@ -230,6 +244,7 @@ class FileManager extends Plugin { * @returns {void} */ async mkdir (path) { + path = this.limitPluginScope(path) if (await this.exists(path)) { throw createError({ code: 'EEXIST', message: `Cannot create directory ${path}` }) } @@ -244,6 +259,7 @@ class FileManager extends Plugin { * @returns {string[]} list of the file/directory name in this directory */ async readdir (path) { + path = this.limitPluginScope(path) await this._handleExists(path) await this._handleIsDir(path) @@ -263,6 +279,7 @@ class FileManager extends Plugin { * @returns {void} */ async remove (path) { + path = this.limitPluginScope(path) await this._handleExists(path, `Cannot remove file or directory ${path}`) const provider = this.fileProviderOf(path)