Commit graph

9 commits

Author SHA1 Message Date
Simon Detheridge
56dcbefb5b Check for safe paths in all ProjectEntityHandler methods
Some import mechanisms (for example, Github project import) call methods such as 'upsert*' directly, bypassing existing filename checks.

Added checks to all methods in ProjectEntityHandler that can create or rename a file.

bug: overleaf/sharelatex#908
Signed-off-by: Simon Detheridge <s@sd.ai>
2018-10-08 15:31:04 +01:00
Simon Detheridge
e66210d2af Add method to sanitize full paths
For convenience, add a method to SafePath to break a path into components and verify the status of each one.

bug: overleaf/sharelatex#908
Signed-off-by: Simon Detheridge <s@sd.ai>
2018-10-08 14:48:17 +01:00
Nate Stemen
ebea8a8633 use regex test instead of match when only bool needed 2018-08-27 14:25:01 -04:00
James Allen
becb76d69b Don't allow backslashes in file names 2018-03-01 11:42:44 +00:00
Brian Gough
8a10e98b56 block javascript property names being used as file names 2018-02-16 10:31:47 +00:00
Brian Gough
9c36b38e2c make SafePath.coffee shareable between client and server code 2018-02-07 15:43:56 +00:00
Brian Gough
57549d32be remove unused path module 2018-02-07 15:28:26 +00:00
Brian Gough
c6f74d24f1 add missing SafePath.clean function 2018-02-07 15:21:04 +00:00
Brian Gough
7f727d434e server side check for valid filenames 2018-02-06 10:44:58 +00:00