Hello,I'm writing simple desktop app using electronJS(Please don't judge me using electron. I need fast solution for all 3 platforms)(electronjs runs on Nodejs engine), which let's user to upload files to cloud, list files, download files.When user clicks Download file, app downloads file to users selected destination in his computer. I want to prevent path traversal vulnerability, which would allow overwrite users local files when they download others people uploaded files.Use case: user selects download location "/home/userName/Downloads". Uploaded file have name "../.ssh/id_rsa". So complete save location would be "/home/userName/.ssh/id_rsa" and your privatekey would be destroyed.Possible solutions?:Filter file name and extension using blacklist and slice out characters like .. / \\ nullBytesIn web development blacklists normally never work, but in this case I need to allow all characters except malicious ones.var path = require('path');path.join('/home/userName/Downloads/', '../picture.jpg'); orpath.join('/home/userName/Downloads', '../picture.jpg');returns "/home/userName/picture.jpg", so path.join() doesn't helpThanks.
Submitted January 22, 2019 at 01:21PM by AshamedRange
No comments:
Post a Comment