gobuffalo · hdm · Aug 25, 2019 · Aug 25, 2019 · Aug 26, 2019
@@ -15,8 +15,8 @@ import (
 	"github.com/gobuffalo/packd"
 	"github.com/gobuffalo/packr/v2/file"
 	"github.com/gobuffalo/packr/v2/file/resolver"
-	"github.com/gobuffalo/packr/v2/plog"
 	"github.com/gobuffalo/packr/v2/internal/takeon/github.com/markbates/oncer"
+	"github.com/gobuffalo/packr/v2/plog"
 )
 
 var _ packd.Box = &Box{}
@@ -28,12 +28,12 @@ var _ packd.Finder = &Box{}
 // Box represent a folder on a disk you want to
 // have access to in the built Go binary.
 type Box struct {
-	Path		string			`json:"path"`
-	Name		string			`json:"name"`
-	ResolutionDir	string			`json:"resolution_dir"`
-	DefaultResolver	resolver.Resolver	`json:"default_resolver"`
-	resolvers	resolversMap
-	dirs		dirsMap
+	Path            string            `json:"path"`
+	Name            string            `json:"name"`
+	ResolutionDir   string            `json:"resolution_dir"`
+	DefaultResolver resolver.Resolver `json:"default_resolver"`
+	resolvers       resolversMap
+	dirs            dirsMap
 }
 
 // NewBox returns a Box that can be used to
@@ -215,7 +215,12 @@ func (b *Box) Resolve(key string) (file.File, error) {
 
 	f, err := r.Resolve(b.Name, key)
 	if err != nil {
-		z := filepath.Join(resolver.OsPath(b.ResolutionDir), filepath.FromSlash(path.Clean("/"+resolver.OsPath(key))))
+		z, err := resolver.ResolvePathInBase(resolver.OsPath(b.ResolutionDir), filepath.FromSlash(path.Clean("/"+resolver.OsPath(key))))
+		if err != nil {
+			plog.Debug(r, "Resolve", "box", b.Name, "key", key, "err", err)
+			return f, err
+		}
+
 		f, err = r.Resolve(b.Name, z)
 		if err != nil {
 			plog.Debug(r, "Resolve", "box", b.Name, "key", z, "err", err)

@@ -182,9 +182,9 @@ func Test_Box_Open(t *testing.T) {
 	r := require.New(t)
 
 	d := resolver.NewInMemory(map[string]file.File{
-		"foo.txt":		qfile("foo.txt", "foo!"),
-		"bar":			qfile("bar", "bar!"),
-		"baz/index.html":	qfile("baz", "baz!"),
+		"foo.txt":        qfile("foo.txt", "foo!"),
+		"bar":            qfile("bar", "bar!"),
+		"baz/index.html": qfile("baz", "baz!"),
 	})
 	box := New("Test_Box_Open", "./templates")
 
@@ -223,3 +223,31 @@ func Test_Box_HasDir(t *testing.T) {
 	r.True(box.HasDir("c"))
 	r.False(box.HasDir("a"))
 }
+
+func Test_Box_Traversal_Standard(t *testing.T) {
+	r := require.New(t)
+	box := New("Test_Box_Traversal_Standard", "")
+	_, err := box.FindString("../fixtures/hello.txt")
+	r.Error(err)
+}
+
+func Test_Box_Traversal_Standard_Depth2(t *testing.T) {
+	r := require.New(t)
+	box := New("Test_Box_Traversal_Standard_Depth2", "")
+	_, err := box.FindString("../../packr/fixtures/hello.txt")
+	r.Error(err)
+}
+
+func Test_Box_Traversal_Backslash(t *testing.T) {
+	r := require.New(t)
+	box := New("Test_Box_Traversal_Backslash", "")
+	_, err := box.FindString("..\\fixtures\\hello.txt")
+	r.Error(err)
+}
+
+func Test_Box_Traversal_Backslash_Depth2(t *testing.T) {
+	r := require.New(t)
+	box := New("Test_Box_Traversal_Backslash_Depth2", "")
+	_, err := box.FindString("..\\..\\packr2\\fixtures\\hello.txt")
+	r.Error(err)
+}
@@ -23,10 +23,15 @@ func (d Disk) String() string {
 }
 
 func (d *Disk) Resolve(box string, name string) (file.File, error) {
+	var err error
 	path := OsPath(name)
 	if !filepath.IsAbs(path) {
-		path = filepath.Join(OsPath(d.Root), path)
+		path, err = ResolvePathInBase(OsPath(d.Root), path)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	fi, err := os.Stat(path)
 	if err != nil {
 		return nil, err
@@ -40,6 +45,32 @@ func (d *Disk) Resolve(box string, name string) (file.File, error) {
 	return nil, os.ErrNotExist
 }
 
+// ResolvePathInBase returns a path that is guaranteed to be inside of the base directory or an error
+func ResolvePathInBase(base, path string) (string, error) {
+	// Determine the absolute file path of the base directory
+	d, err := filepath.Abs(base)
+	if err != nil {
+		return "", err
+	}
+
+	// Return the base directory if no file was requested
+	if path == "/" || path == "\\" {
+		return d, nil
+	}
+
+	// Resolve the absolute file path after combining the key with base
+	p, err := filepath.Abs(filepath.Join(d, path))
+	if err != nil {
+		return "", err
+	}
+
+	// Verify that the resolved path is inside of the base directory
+	if !strings.HasPrefix(p, d+string(filepath.Separator)) {
+		return "", os.ErrNotExist
+	}
+	return p, nil
+}
+
 var _ file.FileMappable = &Disk{}
 
 func (d *Disk) FileMap() map[string]file.File {
@@ -70,8 +101,8 @@ func (d *Disk) FileMap() map[string]file.File {
 		return nil
 	}
 	err := godirwalk.Walk(root, &godirwalk.Options{
-		FollowSymbolicLinks:	true,
-		Callback:		callback,
+		FollowSymbolicLinks: true,
+		Callback:            callback,
 	})
 	if err != nil {
 		plog.Logger.Errorf("[%s] error walking %v", root, err)