Merge pull request #1828 from OpenC3/bug/sanitize-params-parent-dir

Disallow parent dir path in sanitize_params

Author: ryan-pratt

openc3-cosmos-cmd-tlm-api/app/controllers/application_controller.rb

@@ -57,7 +57,7 @@ def authorization(permission, target_name: nil, perform_render: true)
     end
   end
 
-  def sanitize_params(param_list, require_params: true, allow_forward_slash: false)
+  def sanitize_params(param_list, require_params: true, allow_forward_slash: false, allow_parent_dir: false)
     if require_params
       result = params.require(param_list)
     else
@@ -78,6 +78,9 @@ def sanitize_params(param_list, require_params: true, allow_forward_slash: false
         else
           value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-")
         end
+        if not allow_parent_dir
+          value = value.gsub(/(\.|%2e){2}/i, "-")
+        end
         if value != arg
           render json: { status: 'error', message: "Invalid #{param_list[index]}: #{arg}" }, status: 400
           return false

openc3-cosmos-script-runner-api/app/controllers/application_controller.rb

@@ -68,7 +68,7 @@ def authorization(permission, target_name: nil)
     return true
   end
 
-  def sanitize_params(param_list, require_params: true, allow_forward_slash: false)
+  def sanitize_params(param_list, require_params: true, allow_forward_slash: false, allow_parent_dir: false)
     if require_params
       result = params.require(param_list)
     else
@@ -89,6 +89,9 @@ def sanitize_params(param_list, require_params: true, allow_forward_slash: false
         else
           value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-")
         end
+        if not allow_parent_dir
+          value = value.gsub(/(\.|%2e){2}/i, "-")
+        end
         if value != arg
           render json: { status: 'error', message: "Invalid #{param_list[index]}: #{arg}" }, status: 400
           return false