CVE-2022-35861: Fixed relative path traversal due to using version string in path (#2412)

2024-11-21 20:47:00 -05:00 · 2022-07-16 15:01:04 -07:00 · 2022-07-16 15:01:04 -07:00 · 22fa683571
commit 22fa683571
parent 0eba0a5bd5
2 changed files with 22 additions and 3 deletions
--- a/libexec/pyenv-version-file-read
+++ b/libexec/pyenv-version-file-read
@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then
  IFS="${IFS}"$'\r'
  sep=
  while read -n 1024 -r version _ || [[ $version ]]; do
-      [[ -z $version || $version == \#* ]] && continue
-      printf "%s%s" "$sep" "$version"
-      sep=:
+    if [[ -z $version || $version == \#* ]]; then
+      # Skip empty lines and comments
+      continue
+    elif [ "$version" = ".." ] || [[ $version == */* ]]; then
+      # The version string is used to construct a path and we skip dubious values.
+      # This prevents issues such as path traversal (CVE-2022-35861).
+      continue
+    fi
+    printf "%s%s" "$sep" "$version"
+    sep=:
  done <"$VERSION_FILE"
  [[ $sep ]] && { echo; exit; }
 fi
--- a/test/version-file-read.bats
+++ b/test/version-file-read.bats
@ -82,3 +82,15 @@ IN
  run pyenv-version-file-read my-version
  assert_success "3.9.3:3.8.9:2.7.16"
 }
+
+@test "skips relative path traversal" {
+  cat > my-version <<IN
+3.9.3
+3.8.9
+  ..
+./*
+2.7.16
+IN
+  run pyenv-version-file-read my-version
+  assert_success "3.9.3:3.8.9:2.7.16"
+}