Skip to content

Commit 410a922

Browse files
authored
Merge pull request from GHSA-h8g5-vhm4-wx6g
1 parent 1940740 commit 410a922

File tree

2 files changed

+21
-6
lines changed

2 files changed

+21
-6
lines changed

Diff for: app/controllers/courses_controller.rb

+10-6
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
require "archive"
22
require "csv"
33
require "fileutils"
4+
require "pathname"
45
require "statistics"
56

67
class CoursesController < ApplicationController
@@ -1107,15 +1108,18 @@ def extract_tar_for_moss(tmp_dir, external_tar, archive)
11071108
pathname = Archive.get_entry_name(entry)
11081109
next if Archive.looks_like_directory?(pathname)
11091110

1110-
destination = if archive
1111-
File.join(extFilesDir,
1112-
pathname)
1111+
output_dir = if archive
1112+
extFilesDir
11131113
else
1114-
File.join(baseFilesDir, pathname)
1114+
baseFilesDir
11151115
end
1116-
pathname.gsub!(%r{/}, "-")
1116+
output_file = File.join(output_dir, pathname)
1117+
1118+
# skip if the file lies outside the archive
1119+
next unless Archive.in_dir?(Pathname(output_file), Pathname(output_dir))
1120+
11171121
# make sure all subdirectories are there
1118-
File.open(destination, "wb") do |out|
1122+
File.open(output_file, "wb") do |out|
11191123
out.write Archive.read_entry_file(entry)
11201124
begin
11211125
out.fsync

Diff for: lib/archive.rb

+11
Original file line numberDiff line numberDiff line change
@@ -232,4 +232,15 @@ def self.create_zip(paths)
232232
def self.looks_like_directory?(pathname)
233233
pathname.ends_with?("/")
234234
end
235+
236+
# Check if a path lies (strictly) within a directory
237+
# Takes two Pathname objects
238+
# https://gist.github.com/henrik/48e8bb74de9d887770dfb3cc6efaa9b2
239+
def self.in_dir?(path, dir)
240+
path_parts = path.expand_path.each_filename.to_a
241+
dir_parts = dir.expand_path.each_filename.to_a
242+
return false if path_parts == dir_parts
243+
244+
dir_parts.zip(path_parts).all? { |x, y| x == y }
245+
end
235246
end

0 commit comments

Comments
 (0)