1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
// Copyright Epic Games, Inc. All Rights Reserved.
#pragma once
#include <zencore/compactbinary.h>
#include <zencore/except_fmt.h>
#include <zencore/string.h>
#include <filesystem>
#include <string_view>
namespace zen::compute {
// Validate that a single path component contains only characters that are valid
// file/directory names on all supported platforms. Uses Windows rules as the most
// restrictive superset, since packages may be built on one platform and consumed
// on another.
inline void
ValidatePathComponent(std::string_view Component, std::string_view FullPath)
{
// Reject control characters (0x00-0x1F) and characters forbidden on Windows
for (char Ch : Component)
{
if (static_cast<unsigned char>(Ch) < 0x20 || Ch == '<' || Ch == '>' || Ch == ':' || Ch == '"' || Ch == '|' || Ch == '?' ||
Ch == '*')
{
throw zen::invalid_argument("invalid character in path component '{}' of '{}'", Component, FullPath);
}
}
// Reject empty components and trailing dots or spaces (silently stripped on Windows, leading to confusion)
if (Component.empty() || Component.back() == '.' || Component.back() == ' ')
{
throw zen::invalid_argument("path component '{}' of '{}' has trailing dot or space", Component, FullPath);
}
// Reject Windows reserved device names (CON, PRN, AUX, NUL, COM1-9, LPT1-9)
// These are reserved with or without an extension (e.g. "CON.txt" is still reserved).
std::string_view Stem = Component.substr(0, Component.find('.'));
static constexpr std::string_view ReservedNames[] = {
"CON", "PRN", "AUX", "NUL", "COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7",
"COM8", "COM9", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", "LPT9",
};
for (std::string_view Reserved : ReservedNames)
{
if (zen::StrCaseCompare(Stem, Reserved) == 0)
{
throw zen::invalid_argument("path component '{}' of '{}' uses reserved device name '{}'", Component, FullPath, Reserved);
}
}
}
// Validate that a path extracted from a package is a safe relative path.
// Rejects absolute paths, ".." components, and invalid platform filenames.
inline void
ValidateSandboxRelativePath(std::string_view Name)
{
if (Name.empty())
{
throw zen::invalid_argument("path traversal detected: empty path name");
}
std::filesystem::path Parsed(Name);
if (Parsed.is_absolute())
{
throw zen::invalid_argument("path traversal detected: '{}' is an absolute path", Name);
}
for (const auto& Component : Parsed)
{
std::string ComponentStr = Component.string();
if (ComponentStr == "..")
{
throw zen::invalid_argument("path traversal detected: '{}' contains '..' component", Name);
}
// Skip "." (current directory) — harmless in relative paths
if (ComponentStr != ".")
{
ValidatePathComponent(ComponentStr, Name);
}
}
}
// Validate all path entries in a worker description CbObject.
// Checks path, executables[].name, dirs[], and files[].name fields.
// Throws an exception if any invalid paths are found.
inline void
ValidateWorkerDescriptionPaths(const CbObject& WorkerDescription)
{
using namespace std::literals;
if (auto PathField = WorkerDescription["path"sv]; PathField.HasValue())
{
ValidateSandboxRelativePath(PathField.AsString());
}
for (auto& It : WorkerDescription["executables"sv])
{
ValidateSandboxRelativePath(It.AsObjectView()["name"sv].AsString());
}
for (auto& It : WorkerDescription["dirs"sv])
{
ValidateSandboxRelativePath(It.AsString());
}
for (auto& It : WorkerDescription["files"sv])
{
ValidateSandboxRelativePath(It.AsObjectView()["name"sv].AsString());
}
}
} // namespace zen::compute
|