🛡️ Sentinel: [HIGH] Fix path traversal in scene downloads#162
Conversation
在 `src/simulation/mujocoUtils.js` 中,`downloadExampleScenesFolder` 会将外部文件直接写入 MuJoCo 虚拟文件系统。如果 `relativePath` 包含恶意路径(如 `../` 或 `/`),可能导致跨目录写入。增加正则匹配 `/(^|\/)\.\.(\/|$)/` 以及绝对路径校验,以安全阻断目录穿越行为,同时允许文件名内合法包含 `..`。 Co-authored-by: ImChong <74563097+ImChong@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
downloadExampleScenesFolder方法从 JSON 获取的相对路径未经过滤即写入虚拟机文件系统,攻击者可能通过构造恶意的files.json将文件写入/working/之外的任意目录。/(^|\/)\.\.(\/|$)/结构和/开头的校验逻辑,检测到越权路径时抛出异常。my..file.txt的合法文件名,仅过滤目录切换符。PR created automatically by Jules for task 10545686341381630955 started by @ImChong