Commit ddfe782
committed
fix: validate OTA firmware paths to prevent traversal
payload.hex.file_name on bridge/request/device/ota_update/{update,
schedule} flowed unvalidated into join(baseDir, fileName), letting
MQTT clients write attacker-controlled firmware bytes to arbitrary
paths. Resolve the target via the shared resolveSafeChildPath helper
and reject anything that isn't a direct child of <data>/ota. Wrap the
writeFirmwareHexToDataDir calls in try/catch so the validation throw
surfaces as an error response on the bridge topic instead of crashing
the handler.
Replace the unschedule rmSync prefix check with the same helper.
A string-based startsWith with path.sep is bypassable by storing a
traversed payload.url ("<data>/ota/../../etc/passwd") at schedule
time: the prefix matches but the syscall resolves outside the OTA
dir. resolveSafeChildPath normalizes via path.resolve and rejects
anything whose parent isn't <data>/ota.
Includes regression tests for ".." / "." / "../escape.hex" file_name
on update + schedule, and a traversal-url unschedule case.1 parent 99d41a0 commit ddfe782
2 files changed
Lines changed: 70 additions & 13 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
34 | | - | |
35 | | - | |
36 | | - | |
37 | | - | |
38 | 34 | | |
| 35 | + | |
39 | 36 | | |
40 | 37 | | |
41 | 38 | | |
42 | 39 | | |
43 | 40 | | |
44 | | - | |
45 | | - | |
46 | 41 | | |
47 | 42 | | |
48 | 43 | | |
| |||
340 | 335 | | |
341 | 336 | | |
342 | 337 | | |
343 | | - | |
344 | | - | |
| 338 | + | |
| 339 | + | |
| 340 | + | |
| 341 | + | |
| 342 | + | |
| 343 | + | |
| 344 | + | |
345 | 345 | | |
346 | 346 | | |
347 | 347 | | |
| |||
411 | 411 | | |
412 | 412 | | |
413 | 413 | | |
414 | | - | |
415 | | - | |
| 414 | + | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
| 418 | + | |
| 419 | + | |
| 420 | + | |
416 | 421 | | |
417 | 422 | | |
418 | 423 | | |
| |||
435 | 440 | | |
436 | 441 | | |
437 | 442 | | |
438 | | - | |
439 | | - | |
| 443 | + | |
| 444 | + | |
| 445 | + | |
| 446 | + | |
| 447 | + | |
| 448 | + | |
| 449 | + | |
| 450 | + | |
440 | 451 | | |
441 | 452 | | |
442 | 453 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
11 | | - | |
| 11 | + | |
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
| |||
409 | 409 | | |
410 | 410 | | |
411 | 411 | | |
| 412 | + | |
| 413 | + | |
| 414 | + | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
| 418 | + | |
| 419 | + | |
| 420 | + | |
| 421 | + | |
| 422 | + | |
| 423 | + | |
| 424 | + | |
| 425 | + | |
| 426 | + | |
| 427 | + | |
| 428 | + | |
| 429 | + | |
| 430 | + | |
| 431 | + | |
| 432 | + | |
| 433 | + | |
| 434 | + | |
| 435 | + | |
| 436 | + | |
412 | 437 | | |
413 | 438 | | |
414 | 439 | | |
| |||
1212 | 1237 | | |
1213 | 1238 | | |
1214 | 1239 | | |
| 1240 | + | |
| 1241 | + | |
| 1242 | + | |
| 1243 | + | |
| 1244 | + | |
| 1245 | + | |
| 1246 | + | |
| 1247 | + | |
| 1248 | + | |
| 1249 | + | |
| 1250 | + | |
| 1251 | + | |
| 1252 | + | |
| 1253 | + | |
| 1254 | + | |
| 1255 | + | |
| 1256 | + | |
| 1257 | + | |
| 1258 | + | |
| 1259 | + | |
| 1260 | + | |
1215 | 1261 | | |
1216 | 1262 | | |
1217 | 1263 | | |
| |||
0 commit comments