Fix: potential vulnerability in http provider (#2680)

chwjbn · Apr 16, 2023 · df61a58 · df61a58
1 parent 8e05fbf
commit df61a58
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/adapter/provider/parser.go b/adapter/provider/parser.go
@@ -10,7 +10,10 @@ import (
 	types "github.com/Dreamacro/clash/constant/provider"
 )
 
-var errVehicleType = errors.New("unsupport vehicle type")
+var (
+	errVehicleType = errors.New("unsupport vehicle type")
+	errSubPath     = errors.New("path is not subpath of home directory")
+)
 
 type healthCheckSchema struct {
 	Enable   bool   `provider:"enable"`
@@ -53,6 +56,9 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	case "file":
 		vehicle = NewFileVehicle(path)
 	case "http":
+		if !C.Path.IsSubPath(path) {
+			return nil, fmt.Errorf("%w: %s", errSubPath, path)
+		}
 		vehicle = NewHTTPVehicle(schema.URL, path)
 	default:
 		return nil, fmt.Errorf("%w: %s", errVehicleType, schema.Type)

diff --git a/constant/path.go b/constant/path.go
@@ -4,6 +4,7 @@ import (
 	"os"
 	P "path"
 	"path/filepath"
+	"strings"
 )
 
 const Name = "clash"
@@ -51,6 +52,18 @@ func (p *path) Resolve(path string) string {
 	return path
 }
 
+// IsSubPath return true if path is a subpath of homedir
+func (p *path) IsSubPath(path string) bool {
+	homedir := p.HomeDir()
+	path = p.Resolve(path)
+	rel, err := filepath.Rel(homedir, path)
+	if err != nil {
+		return false
+	}
+
+	return !strings.Contains(rel, "..")
+}
+
 func (p *path) MMDB() string {
 	return P.Join(p.homeDir, "Country.mmdb")
 }