-
-
Notifications
You must be signed in to change notification settings - Fork 26.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use file name whitelist to prevent RCE (#4866)
* Use file name whitelist to prevent RCE Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. * Allow alphabet characters from all languages Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches alphanumeric characters, periods, dashes, and underscores. Unicode property support is stage 4 so I've inlined the transpiled version. * Only use file name whitelist on Windows * Log error message if file name does not pass whitelist
- Loading branch information
Showing
1 changed file
with
28 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters