|
| 1 | +// Copyright (c) 2026 Calvin Min |
| 2 | +// SPDX-License-Identifier: MIT |
| 3 | +#include "path_utils.h" |
| 4 | + |
| 5 | +#include <algorithm> |
| 6 | +#include <cstring> |
| 7 | +#include <stdexcept> |
| 8 | + |
| 9 | +namespace databricks { |
| 10 | +namespace internal { |
| 11 | + |
| 12 | +std::string validate_path(const std::string& path, bool allow_absolute) { |
| 13 | + // Check for empty path |
| 14 | + if (path.empty()) { |
| 15 | + throw std::invalid_argument("Path cannot be empty"); |
| 16 | + } |
| 17 | + |
| 18 | + // Check for null bytes (potential injection) |
| 19 | + if (path.find('\0') != std::string::npos) { |
| 20 | + throw std::invalid_argument("Path contains null byte"); |
| 21 | + } |
| 22 | + |
| 23 | + // Check for excessively long paths (potential DoS) |
| 24 | + const size_t MAX_PATH_LENGTH = 4096; |
| 25 | + if (path.length() > MAX_PATH_LENGTH) { |
| 26 | + throw std::invalid_argument("Path exceeds maximum length of " + std::to_string(MAX_PATH_LENGTH)); |
| 27 | + } |
| 28 | + |
| 29 | + // Check for path traversal patterns |
| 30 | + // Look for ".." as a complete path component (not part of a filename) |
| 31 | + size_t pos = 0; |
| 32 | + while ((pos = path.find("..", pos)) != std::string::npos) { |
| 33 | + // Check if ".." is a standalone component |
| 34 | + bool is_start = (pos == 0); |
| 35 | + bool is_end = (pos + 2 >= path.length()); |
| 36 | + bool before_separator = (pos > 0 && path[pos - 1] == '/'); |
| 37 | + bool after_separator = (pos + 2 < path.length() && path[pos + 2] == '/'); |
| 38 | + |
| 39 | + if ((is_start || before_separator) && (is_end || after_separator)) { |
| 40 | + throw std::invalid_argument("Path contains path traversal sequence (..)"); |
| 41 | + } |
| 42 | + pos++; |
| 43 | + } |
| 44 | + |
| 45 | + // Check for absolute paths if not allowed |
| 46 | + if (!allow_absolute && !path.empty() && path[0] == '/') { |
| 47 | + throw std::invalid_argument("Absolute paths are not allowed"); |
| 48 | + } |
| 49 | + |
| 50 | + // Additional security checks for suspicious patterns |
| 51 | + if (path.find("/../") != std::string::npos || path.find("/./") != std::string::npos) { |
| 52 | + throw std::invalid_argument("Path contains suspicious pattern"); |
| 53 | + } |
| 54 | + |
| 55 | + // Check for paths starting with ".." |
| 56 | + if (path.find("..") == 0 && (path.length() == 2 || path[2] == '/')) { |
| 57 | + throw std::invalid_argument("Path starts with path traversal sequence"); |
| 58 | + } |
| 59 | + |
| 60 | + // Check for paths ending with "/.." |
| 61 | + if (path.length() >= 3 && path.substr(path.length() - 3) == "/..") { |
| 62 | + throw std::invalid_argument("Path ends with path traversal sequence"); |
| 63 | + } |
| 64 | + |
| 65 | + return path; |
| 66 | +} |
| 67 | + |
| 68 | +std::string safe_join_path(const std::string& base_dir, const std::string& filename) { |
| 69 | + // Validate base directory |
| 70 | + if (base_dir.empty()) { |
| 71 | + throw std::invalid_argument("Base directory cannot be empty"); |
| 72 | + } |
| 73 | + |
| 74 | + validate_path(base_dir, true); |
| 75 | + |
| 76 | + // Validate filename |
| 77 | + if (filename.empty()) { |
| 78 | + throw std::invalid_argument("Filename cannot be empty"); |
| 79 | + } |
| 80 | + |
| 81 | + // Filename should not contain directory separators or path traversal |
| 82 | + if (filename.find('/') != std::string::npos) { |
| 83 | + throw std::invalid_argument("Filename cannot contain directory separators"); |
| 84 | + } |
| 85 | + |
| 86 | + if (filename.find("..") != std::string::npos) { |
| 87 | + throw std::invalid_argument("Filename cannot contain path traversal sequence"); |
| 88 | + } |
| 89 | + |
| 90 | + // Check for null bytes |
| 91 | + if (filename.find('\0') != std::string::npos) { |
| 92 | + throw std::invalid_argument("Filename contains null byte"); |
| 93 | + } |
| 94 | + |
| 95 | + // Construct the path |
| 96 | + std::string result = base_dir; |
| 97 | + if (!result.empty() && result.back() != '/') { |
| 98 | + result += '/'; |
| 99 | + } |
| 100 | + result += filename; |
| 101 | + |
| 102 | + // Final validation of the complete path |
| 103 | + validate_path(result, true); |
| 104 | + |
| 105 | + return result; |
| 106 | +} |
| 107 | + |
| 108 | +std::string validate_env_path(const std::string& path, const std::string& env_var_name) { |
| 109 | + // Additional validation for environment variable paths |
| 110 | + if (path.empty()) { |
| 111 | + throw std::invalid_argument("Environment variable " + env_var_name + " is empty"); |
| 112 | + } |
| 113 | + |
| 114 | + // Check for control characters (potential injection) |
| 115 | + for (char c : path) { |
| 116 | + if (std::iscntrl(static_cast<unsigned char>(c)) && c != '\0') { |
| 117 | + throw std::invalid_argument("Path from " + env_var_name + " contains control characters"); |
| 118 | + } |
| 119 | + } |
| 120 | + |
| 121 | + // Validate the path using standard validation |
| 122 | + validate_path(path, true); |
| 123 | + |
| 124 | + // Additional check: ensure path doesn't start with suspicious patterns |
| 125 | + const std::string dangerous_prefixes[] = {"/etc/", "/sys/", "/proc/", "/dev/"}; |
| 126 | + |
| 127 | + for (const auto& prefix : dangerous_prefixes) { |
| 128 | + if (path.find(prefix) == 0) { |
| 129 | + throw std::invalid_argument("Path from " + env_var_name + |
| 130 | + " points to restricted system directory: " + prefix); |
| 131 | + } |
| 132 | + } |
| 133 | + |
| 134 | + return path; |
| 135 | +} |
| 136 | + |
| 137 | +} // namespace internal |
| 138 | +} // namespace databricks |
0 commit comments