Export not working on Windows

[AkikoOrenji]

Version SourceMapper-0.0.2.jar Burp version 2022.3.8 Burp Build Number 13217 Burp Update Channel Stable java.runtime.version 17.0.2+8-86

Plugin Output shows :

**- Saving to C:\Users\user\Documents

• Writing \static\app.js\
• Saving to C:\Users\user\Documents
• Writing \static\app.js\
• Saving to C:\Users\user\Documents\refresh-token.js
• Saving to C:\Users\user\Documents
• Writing \Sources\somesitecom\static\app.js**

The plugin errors show java.io.FileNotFoundException: \static\app.js (The network path was not found) It appears an additional slash is is making java assume its a network path and not a local file system.

[lachlan2k]

Hi, thanks for opening the issue! I'll check this out next week if I have a chance. I'm going on vacation shortly so I'll try and get it fixed before then.

I hadn't tested exports on windows, so thanks for catching this.

Can you please provide a screenshot of the file tree inside the Burp tab? Did it include entries with a .. in the file or folder name? The way I use Path.resolve and Path.normalize should be constraining file writes to the selected folder, but I'm wondering if I might have an edge case.

Thanks!

[AkikoOrenji]

Thanks for the quick response. You know you're living in the future when Windows is the edge case 😆 Love it 🥳

The only .. is where node_modules and webpack are sitting.

I tried exporting from a few different locations in the tree but they all get the same problem. Clicking an individual file works though.

[PeterMosmans]

Hey @AkikoOrenji @lachlan2k - does this branch solve your issues? https://github.com/PeterMosmans/source-mapper/tree/fix-export A binary release can be found in the release folder.

What I've done is trying to ensure that the "path join" is OS-independent, so hopefully that works...

[lachlan2k]

Sorry, I completely forgot about this!

I'll review & test tonight. I'll also add proper releases (instead of binaries in the repo) and add some other improvements I've been meaning to get around to.

[lachlan2k]

Hey @AkikoOrenji @lachlan2k - does this branch solve your issues? https://github.com/PeterMosmans/source-mapper/tree/fix-export A binary release can be found in the release folder.

What I've done is trying to ensure that the "path join" is OS-independent, so hopefully that works...

Unfortunately the use of "." in this branch as opposed to "/" doesn't sufficiently prevent directory traversal.

If the path of a file in the export path is in any ".." folders this may lead to writing outside of the intended directory (or overwriting unintended files).

I have a platform independent solution that should work, but I don't have immediate access to a Windows machine today, but I'll try and sort it in the next week.