Permalink
Browse files

Merge pull request #233 from amonakov/patch-1

base-compiler.js: acknowledge checkSource weakness
  • Loading branch information...
2 parents 342a87e + f6ab7fe commit 29a47266f210f563d57228418ea9f1cbcb14e84d @mattgodbolt committed on GitHub Jan 11, 2017
Showing with 4 additions and 0 deletions.
  1. +4 −0 lib/base-compiler.js
@@ -237,6 +237,10 @@ Compile.prototype.checkOptions = function (options) {
return null;
};
+// This check for arbitrary user-controlled preprocessor inclusions
+// can be circumvented in more than one way. The goal here is to respond
+// to simple attempts with a clear diagnostic; the service still needs to
+// assume that malicious actors can make the compiler open arbitrary files.
Compile.prototype.checkSource = function (source) {
var re = /^\s*#\s*i(nclude|mport)(_next)?\s+["<"](\/|.*\.\.)/;
var failed = [];

0 comments on commit 29a4726

Please sign in to comment.