Merge pull request #724 from ue-foundation/lm/restrict-reads-to-project

Restrict filesystem reads in snapshot to paths under project root
author: Liam Mitchell <[email protected]> 2026-02-03 16:48:54 -0800
committer: GitHub Enterprise <[email protected]> 2026-02-03 16:48:54 -0800
commit: 7c2af226d08ae251ea965419069739a3b80f20fb (patch)
tree: 79241adb6407c65bdc59dea842905f87b31042f6 /src
parent: reduce blocking in scrub (#743) (diff)
parent: Disallow external file reads from project with unset project roots (diff)
download: zen-7c2af226d08ae251ea965419069739a3b80f20fb.tar.xz
zen-7c2af226d08ae251ea965419069739a3b80f20fb.zip
1 files changed, 32 insertions, 4 deletions
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp
index 4e947f221..86b4d7100 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.cpp
+++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp
@@ -2880,6 +2880,8 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 				};
 				tsl::robin_map<IoHash, AddedChunk, IoHash::Hasher> AddedChunks;
 
+				const std::filesystem::path CanonicalRoot = std::filesystem::canonical(Project->RootDir);
+
 				Oplog->IterateOplog(
 					[&](CbObjectView Op) {
 						bool OpRewritten = false;
@@ -2898,10 +2900,36 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req)
 
 								if (DataHash == IoHash::Zero)
 								{
-									std::string_view	  ServerPath = View["serverpath"sv].AsString();
-									std::filesystem::path FilePath	 = Project->RootDir / ServerPath;
-									BasicFile			  DataFile;
-									std::error_code		  Ec;
+									std::string_view ServerPath = View["serverpath"sv].AsString();
+									if (CanonicalRoot.empty())
+									{
+										ZEN_WARN("Attempting to load file '{}' from project with unset project root", ServerPath);
+										AllOk = false;
+										continue;
+									}
+
+									std::error_code				Ec;
+									const std::filesystem::path FilePath = std::filesystem::canonical(Project->RootDir / ServerPath, Ec);
+
+									if (Ec)
+									{
+										ZEN_WARN("Failed to find file '{}' in project root '{}' for 'snapshot'. Reason: '{}'",
+												 ServerPath,
+												 Project->RootDir,
+												 Ec.message());
+										AllOk = false;
+										continue;
+									}
+
+									if (std::mismatch(CanonicalRoot.begin(), CanonicalRoot.end(), FilePath.begin()).first !=
+										CanonicalRoot.end())
+									{
+										ZEN_WARN("Unable to read file '{}' outside of project root '{}'", FilePath, CanonicalRoot);
+										AllOk = false;
+										continue;
+									}
+
+									BasicFile DataFile;
 									DataFile.Open(FilePath, BasicFile::Mode::kRead, Ec);
 
 									if (Ec)
author	Liam Mitchell <[email protected]>	2026-02-03 16:48:54 -0800
committer	GitHub Enterprise <[email protected]>	2026-02-03 16:48:54 -0800
commit	7c2af226d08ae251ea965419069739a3b80f20fb (patch)
tree	79241adb6407c65bdc59dea842905f87b31042f6 /src
parent	reduce blocking in scrub (#743) (diff)
parent	Disallow external file reads from project with unset project roots (diff)
download	zen-7c2af226d08ae251ea965419069739a3b80f20fb.tar.xz zen-7c2af226d08ae251ea965419069739a3b80f20fb.zip