From c2fe9f0966c02a3224cbe5df2bae208cbf9b0ef8 Mon Sep 17 00:00:00 2001
From: iTrooz <hey@itrooz.fr>
Date: Sat, 2 Sep 2023 17:51:21 +0200
Subject: [PATCH] fix: verify that file names queried from the store do not
 allow path traversal (#1277)

---
 plugins/builtin/source/content/views/view_store.cpp | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/plugins/builtin/source/content/views/view_store.cpp b/plugins/builtin/source/content/views/view_store.cpp
index e923f4e59..c6296ae63 100644
--- a/plugins/builtin/source/content/views/view_store.cpp
+++ b/plugins/builtin/source/content/views/view_store.cpp
@@ -260,11 +260,18 @@ namespace hex::plugin::builtin {
 
     bool ViewStore::download(fs::ImHexPath pathType, const std::string &fileName, const std::string &url, bool update) {
         bool downloading = false;
-        for (const auto &path : fs::getDefaultPaths(pathType)) {
-            if (!fs::isPathWritable(path))
+        for (const auto &folderPath : fs::getDefaultPaths(pathType)) {
+            if (!fs::isPathWritable(folderPath))
                 continue;
 
-            auto fullPath = path / std::fs::path(fileName);
+            // verify that we write the file to the right folder
+            // this is to prevent the filename from having elements like ../
+            auto fullPath = std::fs::weakly_canonical(folderPath / std::fs::path(fileName));
+            auto [folderIter, pathIter] = std::mismatch(folderPath.begin(), folderPath.end(), fullPath.begin());
+            if(folderIter != folderPath.end()) {
+                log::warn("The destination file name '{}' is invalid", fileName);
+                return false;
+            }
 
             if (!update || wolv::io::fs::exists(fullPath)) {
                 downloading          = true;