fix(932200): detect windows style filepaths #2595
Conversation
CRS Bug Bounty PR assessment
This is not meant to be final. As a CRS dev, feel free to comment below and edit this form directly. As committer or observer, feel free to comment below with feedback and we will think about updating the assessment accordingly. |
|
@s0md3v Your new test doesn't seem to be working at the moment. |
|
We have a rule for backslash notation in the contribution guidelines: We need also a test for the backslash, some more tests could really help. |
|
Can you also be sure that your PR doesn't change permissions on files? I see a change from 644 to 755 (probably because of WSL?). |
|
Oops. Seems that the test is failing: Is the test wrong or does the rule have a problem? Could you have a look at that @s0md3v ? |
|
I'm struggling to make the test match. Will enter debug mode. |
|
I believe the proposal here changes the existing regular expression in ways that fundamentally change its meaning. I think this needs a closer inspection. I also have been unable to trigger the exploit described (tested briefly on a Windows 10 box: exploit doesn't work in |
|
This issue may be harder than it looks (or maybe not). I am confused because as far as I know, we should have detected this technique also in earlier releases. So I think we may have to fix an existin rule as well, and that rule is really complex. I will close this for now, and use it as a reference. |
Issue:
U8Z0MSCPDescription: The affected rule only works on *nix style filepaths.
Fix: Detect windows style filepaths by considering
\as valid filepath delimiter like/.