Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add File Safe Regex to Profile Filename #30

Merged
merged 2 commits into from
Jun 9, 2021
Merged

Add File Safe Regex to Profile Filename #30

merged 2 commits into from
Jun 9, 2021

Conversation

fresh-eggs
Copy link
Contributor

This PR aims to add a regex which will enforce an allowed list of characters on the profile filenames generated by the App Profiler.

app_profiler/lib/app_profiler/profile.rb

Lines 66 to 77 in 4d4ed61

def path
filename = [
Time.zone.now.strftime("%Y%m%d-%H%M%S"),
mode,
id,
Socket.gethostname,
].compact.join("-") << ".json"
raise UnsafeFilename if /[^0-9A-Za-z.\-\_]/.match(filename)
AppProfiler.profile_root.join(filename)
end

The regex [^0-9A-Za-z.\-\_], attempts to match on any character not included in alphanumerics, ., - or _.

@dalehamel
Copy link
Member

thanks @fresh-eggs

@dalehamel dalehamel merged commit 32c14f7 into main Jun 9, 2021
@dalehamel dalehamel deleted the filename_sanitize branch June 9, 2021 14:10
@shopify-shipit shopify-shipit bot temporarily deployed to production June 9, 2021 16:18 Inactive
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Hackerone security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fresh-eggs @dalehamel