Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix output paths #991

Merged
merged 3 commits into from
Dec 20, 2021
Merged

Fix output paths #991

merged 3 commits into from
Dec 20, 2021

Conversation

cmoesel
Copy link
Member

@cmoesel cmoesel commented Dec 20, 2021
edited
Loading

Fixes #990.

Since SUSHI uses resource ids and IG ids to name files, it is possible to provide an id w/ path traversal characters (e.g., /../../ to write to an arbitrary location). Since SUSHI only writes JSON files, however, note that this can only be used to write/overwrite files w/ a .json extension.

You can test this by first checking out only 7c8a745 and confirming the tests do not pass. Then checking out the rest of the branch and confirming the tests pass.

I am also attaching a simple project (NaughtyPaths.zip) that exercises the bug. If you unzip it and run SUSHI on it:

  • the currently released SUSHI will write SURPRISE.json and BOO.json files to your project root (instead of fsh-generated/resources)
  • this PR branch will write them to fsh-generated/resources as expected, with problematic characters converted to -.

@cmoesel
Broken tests for devious ids
7c8a745 
If authors choose ids w/ path separators, they can traverse the output to write to any destination. These tests will only pass if these problematic paths are sanitized.
@cmoesel
Sanitize file names created from ids
5e3cbcf
@cmoesel
Copy link
Member Author

cmoesel commented Dec 20, 2021

BTW -- I searched the whole code base for all cases where we write files to disk to ensure I had captured all the potential issues. I also ran a full regression and confirmed this does not affect an IGs -- which means that no one was using invalid characters, which is good!

@julianxcarter julianxcarter self-assigned this Dec 20, 2021
julianxcarter
julianxcarter previously approved these changes Dec 20, 2021
View reviewed changes
Copy link
Contributor

@julianxcarter julianxcarter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@jafeltra jafeltra self-assigned this Dec 20, 2021
jafeltra
jafeltra reviewed Dec 20, 2021
View reviewed changes
Copy link
Collaborator

@jafeltra jafeltra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good - I just had one minor comment.

src/fhirtypes/CodeSystem.ts Outdated Show resolved Hide resolved
jafeltra
jafeltra approved these changes Dec 20, 2021
View reviewed changes
Copy link
Collaborator

@jafeltra jafeltra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work!

@cmoesel cmoesel merged commit 3b6cebe into master Dec 20, 2021
@cmoesel cmoesel deleted the fix-output-paths branch December 20, 2021 22:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jafeltra jafeltra jafeltra approved these changes

@julianxcarter julianxcarter julianxcarter left review comments

@mint-thompson mint-thompson Awaiting requested review from mint-thompson

Assignees

@jafeltra jafeltra

@julianxcarter julianxcarter

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Malicious IDs allow for path traversal
3 participants
@cmoesel @jafeltra @julianxcarter