RomanNum3ral
/
gstack
mirror of https://github.com/garrytan/gstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: freeze hook symlink bypass and prefix collision (MEDIUM-03) 

- Add POSIX-portable path resolution (cd + pwd -P, works on macOS)
- Fix prefix collision: /project-evil no longer matches /project freeze dir
- Use trailing slash in boundary check to require directory boundary
This commit is contained in:
Garry Tan 2026-03-27 22:14:08 -07:00
parent b60162ae45
commit 87d54689ba
No known key found for this signature in database
GPG Key ID: C1F69E85C74EFE1D
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
freeze/bin/check-freeze.sh
View File

@ -51,9 +51,20 @@ esac
# Normalize: remove double slashes and trailing slash # Normalize: remove double slashes and trailing slash
FILE_PATH=$(printf '%s' "$FILE_PATH" | sed 's|/\+|/|g;s|/$||') FILE_PATH=$(printf '%s' "$FILE_PATH" | sed 's|/\+|/|g;s|/$||')
# Resolve symlinks and .. sequences (POSIX-portable, works on macOS)
_resolve_path() {
local _dir _base
_dir="$(dirname "$1")"
_base="$(basename "$1")"
_dir="$(cd "$_dir" 2>/dev/null && pwd -P || printf '%s' "$_dir")"
printf '%s/%s' "$_dir" "$_base"
}
FILE_PATH=$(_resolve_path "$FILE_PATH")
FREEZE_DIR=$(_resolve_path "$FREEZE_DIR")
# Check: does the file path start with the freeze directory? # Check: does the file path start with the freeze directory?
case "$FILE_PATH" in case "$FILE_PATH" in
"${FREEZE_DIR}"*) "${FREEZE_DIR}/"*|"${FREEZE_DIR}")
# Inside freeze boundary — allow # Inside freeze boundary — allow
echo '{}' echo '{}'
;; ;;