Skip to content

path traversal risk in project flag #78

Description

@notnmeyer

project names aren't validated, allowing path traversal.

problem

--project accepts arbitrary strings. this works:

daylog -p "../../etc" -a "pwned"

but creates files outside the intended $XDG_DATA_HOME/daylog directory.

fix

sanitize project names before use:

func sanitizeProject(name string) (string, error) {
    name = strings.TrimSpace(name)
    if name == "" {
        return "", errors.New("project name cannot be empty")
    }
    if strings.Contains(name, "..") ||
       strings.Contains(name, "/") ||
       strings.Contains(name, "\\") {
        return "", errors.New("project name cannot contain path separators or ..")
    }
    return name, nil
}

could also allow work/client-x style nesting as a separate feature, but blocking traversal is the minimum.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions