CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-02 11:45:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: freeze hook symlink bypass and prefix collision (MEDIUM-03)

Browse Source 
- Add POSIX-portable path resolution (cd + pwd -P, works on macOS)
- Fix prefix collision: /project-evil no longer matches /project freeze dir
- Use trailing slash in boundary check to require directory boundary
This commit is contained in:
Garry Tan
2026-03-27 22:14:08 -07:00
parent b60162ae45
commit 87d54689ba
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
freeze/bin/check-freeze.sh
+12 -1
View File
@@ -51,9 +51,20 @@ esac
# Normalize: remove double slashes and trailing slash
FILE_PATH=$(printf '%s' "$FILE_PATH" | sed 's|/\+|/|g;s|/$||')
# Resolve symlinks and .. sequences (POSIX-portable, works on macOS)
_resolve_path() {
local _dir _base
_dir="$(dirname "$1")"
_base="$(basename "$1")"
_dir="$(cd "$_dir" 2>/dev/null && pwd -P || printf '%s' "$_dir")"
printf '%s/%s' "$_dir" "$_base"
}
FILE_PATH=$(_resolve_path "$FILE_PATH")
FREEZE_DIR=$(_resolve_path "$FREEZE_DIR")
# Check: does the file path start with the freeze directory?
case "$FILE_PATH" in
"${FREEZE_DIR}"*)
"${FREEZE_DIR}/"*|"${FREEZE_DIR}")
# Inside freeze boundary — allow
echo '{}'
;;