Bugfix: Uncontrolled data used in path expression

Fantom-foundation / Aida

Aida is a block-processing testing infrastructure for EVM-compatible chains.

GNU Lesser General Public License v3.0

4 stars 12 forks source link

Bugfix: Uncontrolled data used in path expression #1114

Closed rpl-ffl closed 3 months ago

rpl-ffl commented 3 months ago

Uncontrolled data used in path expression

https://codeql.github.com/codeql-query-help/go/go-path-injection/

Fixes https://github.com/Fantom-foundation/Aida/issues/1110

[ ] Bug fix (non-breaking change which fixes an issue)

rpl-ffl commented 3 months ago

Thanks @evgensheff Worth noting: "I think filepath.Abs is a gamechanger. It doesn't matter what safe or baseDir we have, codeQL just w ant to be sure it does not have .. or ../.. to navigate inside our fileserver."