Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(tag/include_code): prevent path traversal #5251

Merged
merged 6 commits into from
Apr 16, 2024
Merged

fix(tag/include_code): prevent path traversal #5251

merged 6 commits into from
Apr 16, 2024

Conversation

stevenjoezhang
Copy link
Member

@stevenjoezhang stevenjoezhang commented Jul 26, 2023

What does it do?

Issue resolved: #5250

WIP: Not working on Windows

Screenshots

Pull request tasks

  • Add test cases for the changes.
  • Passed the CI test.

@github-actions
Copy link

How to test

git clone -b path-traversal https://github.com/hexojs/hexo.git
cd hexo
npm install
npm test

@coveralls
Copy link

coveralls commented Jul 26, 2023

Pull Request Test Coverage Report for Build 8707184206

Details

  • 25 of 25 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 99.531%

Totals Coverage Status
Change from base Build 8706447139: 0.0%
Covered Lines: 9332
Relevant Lines: 9376

💛 - Coveralls

@stevenjoezhang stevenjoezhang linked an issue Jul 27, 2023 that may be closed by this pull request
@stevenjoezhang stevenjoezhang marked this pull request as draft July 27, 2023 15:10
@uiolee
Copy link
Member

uiolee commented Sep 12, 2023

fixed working in windows

by using the method defined in hexo/lib/box/index

hexo/lib/box/index.ts

Lines 232 to 235 in 7b588e7

function escapeBackslash(path) {
// Replace backslashes on Windows
return path.replace(/\\/g, '/');
}

uiolee
uiolee previously approved these changes Oct 13, 2023
@stevenjoezhang stevenjoezhang changed the base branch from v7.0.0 to master October 25, 2023 05:02
@stevenjoezhang stevenjoezhang dismissed uiolee’s stale review October 25, 2023 05:02

The base branch was changed.

uiolee
uiolee previously approved these changes Dec 22, 2023
Copy link

github-actions bot commented Apr 6, 2024

How to test

git clone -b path-traversal https://github.com/hexojs/hexo.git
cd hexo
npm install
npm test

@stevenjoezhang stevenjoezhang requested a review from uiolee April 6, 2024 12:59
@stevenjoezhang stevenjoezhang marked this pull request as ready for review April 6, 2024 12:59
uiolee
uiolee previously approved these changes Apr 6, 2024
@stevenjoezhang
Copy link
Member Author

stevenjoezhang commented Apr 8, 2024

WIP: I'll rebase it after #5385 and #5457 merged

Done

@stevenjoezhang stevenjoezhang marked this pull request as draft April 8, 2024 16:15
@stevenjoezhang stevenjoezhang marked this pull request as ready for review April 9, 2024 12:50
uiolee
uiolee previously approved these changes Apr 14, 2024
Copy link
Member

@yoshinorin yoshinorin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I resolved conflict with master branch: c95fba1

@uiolee uiolee merged commit b5b63ca into master Apr 16, 2024
29 of 31 checks passed
@uiolee uiolee deleted the path-traversal branch April 16, 2024 15:58
dimaslanjaka pushed a commit to dimaslanjaka/hexo that referenced this pull request Oct 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

By pass security check: do not allow ../ in path
4 participants