Skip to content

Unsafe URL construction in the CodeSnippets cog #3315

Open
@decorator-factory

Description

@decorator-factory

Exploitation example:

<https://github.com/python/cpython/blob/main/../../../../users/octocat#L1>

Image

(discord unhelpfully resolves the ..s)

The reason this is happening is this regex matching ../../../../users/octocat as the filename and then blindly substituting it into this URL template. .. in a URL has a similar meaning to UNIX file paths: the parent directory. So the resulting URL (https://api.github.com/repos/python/cpython/contents/../../../../users/octocat?ref=main) means the same as https://api.github.com/users/octocat?ref=main.

Not sure if there's a good fix for this besides just not allowing (\.|%2[eE]){2} in the URL. (Yes, .%2E and %2e%2E do both mean "parent directory", don't you love URI)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions