From 82620db8cfc41f80b4f0dde7d9eee92e6eb7aa0d Mon Sep 17 00:00:00 2001
From: Stefan Boberg <stefan@boberg.org>
Date: Fri, 20 Mar 2026 19:58:36 +0100
Subject: Reject local file references in package parsing by default

- Add ParseFlags enum with kAllowLocalReferences opt-in flag
- Default to rejecting local refs in ParsePackageMessage and
  CbPackageReader, protecting against path traversal from untrusted
  remote clients
- Add HttpService::AcceptsLocalFileReferences() virtual (default false)
- Override to true in HttpStructuredCacheService and HttpProjectService,
  which need local refs for the local UE cooker optimization
- Both server ingest paths now require IsLocalMachineRequest() AND
  AcceptsLocalFileReferences() before allowing local refs
---
 src/zenhttp/httpserver.cpp | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'src/zenhttp/httpserver.cpp')

diff --git a/src/zenhttp/httpserver.cpp b/src/zenhttp/httpserver.cpp
index ce3440f9a..d15ef7a00 100644
--- a/src/zenhttp/httpserver.cpp
+++ b/src/zenhttp/httpserver.cpp
@@ -479,6 +479,12 @@ HttpService::HandlePackageRequest(HttpServerRequest& HttpServiceRequest)
 	return Ref<IHttpPackageHandler>();
 }
 
+bool
+HttpService::AcceptsLocalFileReferences() const
+{
+	return false;
+}
+
 //////////////////////////////////////////////////////////////////////////
 
 HttpServerRequest::HttpServerRequest(HttpService& Service) : m_Service(Service)
@@ -705,7 +711,9 @@ HttpServerRequest::ReadPayloadPackage()
 {
 	if (IoBuffer Payload = ReadPayload())
 	{
-		return ParsePackageMessage(std::move(Payload));
+		ParseFlags Flags =
+			(IsLocalMachineRequest() && m_Service.AcceptsLocalFileReferences()) ? ParseFlags::kAllowLocalReferences : ParseFlags::kDefault;
+		return ParsePackageMessage(std::move(Payload), {}, Flags);
 	}
 
 	return {};
@@ -1259,7 +1267,10 @@ HandlePackageOffers(HttpService& Service, HttpServerRequest& Request, Ref<IHttpP
 					return PackageHandlerRef->CreateTarget(Cid, Size);
 				};
 
-				CbPackage Package = ParsePackageMessage(Request.ReadPayload(), CreateBuffer);
+				ParseFlags PkgFlags = (Request.IsLocalMachineRequest() && Service.AcceptsLocalFileReferences())
+										  ? ParseFlags::kAllowLocalReferences
+										  : ParseFlags::kDefault;
+				CbPackage  Package	= ParsePackageMessage(Request.ReadPayload(), CreateBuffer, PkgFlags);
 
 				PackageHandlerRef->OnRequestComplete();
 			}
-- 
cgit v1.2.3