Restrict filesystem reads in snapshot to paths under project root

1 files changed, 18 insertions, 2 deletions

diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp
index 4e947f221..8742ed75f 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.cpp
+++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp
@@ -2900,8 +2900,24 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 								{
 									std::string_view	  ServerPath = View["serverpath"sv].AsString();
 									std::filesystem::path FilePath	 = Project->RootDir / ServerPath;
-									BasicFile			  DataFile;
-									std::error_code		  Ec;
+									if (!std::filesystem::exists(FilePath))
+									{
+										ZEN_WARN("Attempted to read non-existent file '{}' in 'snapshot'", FilePath);
+										AllOk = false;
+										continue;
+									}
+
+									std::filesystem::path CanonicalRoot = std::filesystem::canonical(Project->RootDir);
+
+									if (!std::filesystem::canonical(FilePath).string().starts_with(CanonicalRoot.string()))
+									{
+										ZEN_WARN("Unable to read file '{}' outside of project root '{}'", FilePath, CanonicalRoot);
+										AllOk = false;
+										continue;
+									}
+
+									BasicFile		DataFile;
+									std::error_code Ec;
 									DataFile.Open(FilePath, BasicFile::Mode::kRead, Ec);
 
 									if (Ec)