[sr-dev] git:master:6cc8f126: app_jsdt: length checks for resolving js module path

Module: kamailio Branch: master Commit: 6cc8f126391476a05f8d90a35d6d57eec7c4e8d8 URL: https://github.com/kamailio/kamailio/commit/6cc8f126391476a05f8d90a35d6d57e… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2023-11-20T09:43:15+01:00 app_jsdt: length checks for resolving js module path --- Modified: src/modules/app_jsdt/app_jsdt_api.c --- Diff: https://github.com/kamailio/kamailio/commit/6cc8f126391476a05f8d90a35d6d57e… Patch: https://github.com/kamailio/kamailio/commit/6cc8f126391476a05f8d90a35d6d57e… --- diff --git a/src/modules/app_jsdt/app_jsdt_api.c b/src/modules/app_jsdt/app_jsdt_api.c index 8ad015c89d9..68dc38f1b23 100644 --- a/src/modules/app_jsdt/app_jsdt_api.c +++ b/src/modules/app_jsdt/app_jsdt_api.c @@ -1072,23 +1072,42 @@ duk_ret_t cb_resolve_module(duk_context *JJ) const char *parent_id = duk_get_string(JJ, 1); char requested_path[PATH_MAX]; + char resolved_id[PATH_MAX]; + char *ptr = NULL; + + if(requested_id == NULL) { + return duk_generic_error(JJ, "Invalid parameter"); + } + if(strlen(requested_id) >= PATH_MAX) { + return duk_generic_error(JJ, "Parameter too long"); + } + requested_path[0] = '\0'; if(requested_id[0] == '/') { // absolute strcpy(requested_path, requested_id); } else if(strncmp(requested_id, "./", 2) || strncmp(requested_id, "../", 3)) { - if(strlen(parent_id)) { + if(parent_id != NULL && strlen(parent_id) > 0) { + if(strlen(parent_id) >= PATH_MAX) { + return duk_generic_error(JJ, "Second parameter too long"); + } // relative to parent strcpy(requested_path, parent_id); } else { + if(strlen(_sr_jsdt_load_file.s) >= PATH_MAX) { + return duk_generic_error(JJ, "Load file path too long"); + } // no parent so relative to jsdt_load_file strcpy(requested_path, _sr_jsdt_load_file.s); } - char *ptr = strrchr(requested_path, '/'); + ptr = strrchr(requested_path, '/'); if(ptr) { ptr++; *ptr = '\0'; } + if(strlen(requested_path) + strlen(requested_id) >= PATH_MAX) { + return duk_generic_error(JJ, "Path too long"); + } strcat(requested_path, requested_id); } else { LM_INFO("cb_resolve_module - TODO resolve pathless module names"); @@ -1096,9 +1115,11 @@ duk_ret_t cb_resolve_module(duk_context *JJ) } // if missing add .js ext if(strcmp(strrchr(requested_path, '\0') - 3, ".js")) { + if(strlen(requested_path) + 3 >= PATH_MAX) { + return duk_generic_error(JJ, "Path too long"); + } strcat(requested_path, ".js"); } - char resolved_id[PATH_MAX]; if(realpath(requested_path, resolved_id)) { duk_push_string(JJ, resolved_id); return 1; /*nrets*/