Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Path-construction vulnerabilities #67

Open
stuartpb opened this issue Jun 3, 2015 · 1 comment
Open

Path-construction vulnerabilities #67

stuartpb opened this issue Jun 3, 2015 · 1 comment
Labels
under consideration

Comments

@stuartpb
Copy link
Member

stuartpb commented Jun 3, 2015

It would be nice (and by "nice" I mean "terrifying") to go through Plushu and its plugins (specifically their commands) and find all the places where stuff like /../ can be inserted in a variable that gets used as a path to possibly/potentially expose or manipulate things that aren't supposed to be so.

Some of these should maybe even be fixed (does Bash have an equivalent to path.resolve?).
@stuartpb stuartpb mentioned this issue Jun 7, 2015
Open
@stuartpb
Copy link
Member Author

http://stackoverflow.com/questions/284662/how-do-you-normalize-a-file-path-in-bash -it's nasty. It'd probably be better to just rewrite plugin commands to enforce validation and include directory-name safety as part of that validation.

Although, really, Plushu isn't the level you should be preventing can-maybe-do-something-neat-due-to-being-so-dumb-isms at. This is more a concern for the Style Guide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
under consideration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stuartpb