Fixes path traversal issue with example _filename attribute. Thanks to @dabdine for bringing attention to the issue! In addition, this enhances bin/recog_verify to be more resilient if an exception occurs while processing more than one fingerprint file.
<example _filename="../../../illegal/path"/>
Motivation and Context
Ensure recog doesn't access files and directories that are out of scope.
How Has This Been Tested?
rake tests
./bin/recog_verify with test fingerprints copied into the XML directory
$ ./bin/recog_verify xml/path-traversal.xml
xml/path-traversal.xml:3: FAIL: an example specifies an illegal file path '../path-traversal'
$ ./bin/recog_verify xml/bad-regex.xml
xml/bad-regex.xml: FAIL: end pattern with unmatched parenthesis: /^($/
$ ./bin/recog_verify xml/*.xml
xml/apache_modules.xml: SUMMARY: Test completed with 298 successful, 0 warnings, and 0 failures
xml/apache_os.xml: SUMMARY: Test completed with 42 successful, 0 warnings, and 0 failures
xml/architecture.xml: SUMMARY: Test completed with 16 successful, 0 warnings, and 0 failures
xml/bad-regex.xml: FAIL: end pattern with unmatched parenthesis: /^($/
...
xml/path-traversal.xml:3: FAIL: an example specifies an illegal file path '../path-traversal'
...
xml/x509_subjects.xml: SUMMARY: Test completed with 195 successful, 0 warnings, and 0 failures
Types of changes
Bug fix (non-breaking change which fixes an issue)
Checklist:
[x] I have updated the documentation accordingly (or changes are not required).
[x] I have added tests to cover my changes (or new tests are not required).
Description
Fixes path traversal issue with example
_filename
attribute. Thanks to @dabdine for bringing attention to the issue! In addition, this enhancesbin/recog_verify
to be more resilient if an exception occurs while processing more than one fingerprint file.Motivation and Context
Ensure recog doesn't access files and directories that are out of scope.
How Has This Been Tested?
rake tests
./bin/recog_verify
with test fingerprints copied into the XML directorypath-traversal.xml
bad-regex.xml
Test Output
Types of changes
Checklist: