Github Bot
Poster of Commits
Reject risky character names. (#91)
* Reject risky character names.
We don't expect to ever receive character names containing '.', '/',
or '\', but if we do, we shouldn't accept them, as this introduces a
risk of directory traversal which can allow attackers to break out of
$KOLMAFIA_ROOT.
* Improve username validation.
Name must be 3-30 characters long.
Name must start with a letter.
Name must be letters, numbers, spaces and underscores,
and may not contain more than one space in a row.
We're not handling requirements 2 or 4, but that's okay. It's better
than what we were doing before.
* Add explicit check for ".." to make CodeQL happier.
The code seems like it checks for this specifically.....
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View on Github
* Reject risky character names.
We don't expect to ever receive character names containing '.', '/',
or '\', but if we do, we shouldn't accept them, as this introduces a
risk of directory traversal which can allow attackers to break out of
$KOLMAFIA_ROOT.
* Improve username validation.
Name must be 3-30 characters long.
Name must start with a letter.
Name must be letters, numbers, spaces and underscores,
and may not contain more than one space in a row.
We're not handling requirements 2 or 4, but that's okay. It's better
than what we were doing before.
* Add explicit check for ".." to make CodeQL happier.
The code seems like it checks for this specifically.....
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View on Github