This repository has been archived by the owner on Oct 19, 2024. It is now read-only.
Modpack format path warning does not cover all possible bad paths on windows
#84
Comments
|
If those paths are accepted by some launcher implementations, this should be escalated to a security advisory (CWE-35: Path transversal) |
|
CWE-22 actually CWE-35 is covered by the |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Going off of https://learn.microsoft.com/en-us/dotnet/standard/io/file-path-formats the given warning on https://docs.modrinth.com/docs/modpacks/format_definition/#path that says to "make sure it doesn't contain
..or start with a drive name (i.e.,[A-Z]:/,[A-Z]:\, and/).", If implemented at face value, would still result in multiple bad file paths being permitted such as:\Program Files\Custom Utilities\StringFinder.exe: A relative path from the root of the current drive.\\system07\C$\: The root directory of the C: drive on system07. (A network drive/resource)\\.\C:\Test\Foo.txtand\\?\C:\Test\Foo.txt..\This could be resolved by either adding
\as a disallowed starting character and adding..\, or promoting normalization checks insteadThe text was updated successfully, but these errors were encountered: