feat: prevent path traversal when loading dump

tritonmc · Jul 15, 2024 · b4f7e99 · b4f7e99
1 parent 075427a
commit b4f7e99
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/core/src/main/java/com/rexcantor64/triton/debug/LoadDump.java b/core/src/main/java/com/rexcantor64/triton/debug/LoadDump.java
@@ -35,6 +35,11 @@ public static List<Component> getMessagesFromDump(String dumpName, int startLine
         Path dumpFolderPath = tritonFolderPath.resolve(DUMP_FOLDER_NAME);
         Path dumpPath = dumpFolderPath.resolve(dumpName);
 
+        if (!dumpPath.toAbsolutePath().normalize().startsWith(dumpFolderPath.toAbsolutePath().normalize())) {
+            // path traversal attack
+            throw new IOException("Tried to access file outside dump folder");
+        }
+
         File dumpFile = dumpPath.toFile();
 
         @Cleanup