diff --git a/.jules/sentinel.md b/.jules/sentinel.md index 3739f7e..e6d54a8 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -70,3 +70,8 @@ **Vulnerability:** Weak random number generation using `Math.random()`. **Learning:** `Math.random()` is not cryptographically secure, which could lead to predictable outcomes in simulation generation or terrain seeding. **Prevention:** Use `window.crypto.getRandomValues()` instead of `Math.random()` to ensure strong random number generation for security or unpredictability. + +## 2026-06-29 - [Zip Slip Path Traversal] +**Vulnerability:** Path traversal (Zip Slip) vulnerability in file download handling. +**Learning:** Writing files directly to the MuJoCo WASM virtual filesystem (`mujoco.FS.writeFile`) using paths sourced from external/downloaded files (like `files.json`) without validation allows malicious paths (e.g., `../` or `/`) to write outside the intended working directory. +**Prevention:** Always validate relative paths to prevent directory traversal by checking against regex like `/(^|\/)\.\.(\/|$)/` and checking for absolute paths (`startsWith('/')`) before performing file system operations. diff --git a/src/simulation/mujocoUtils.js b/src/simulation/mujocoUtils.js index 8df70ac..583536c 100644 --- a/src/simulation/mujocoUtils.js +++ b/src/simulation/mujocoUtils.js @@ -753,6 +753,9 @@ export async function downloadExampleScenesFolder(mujoco, onProgress, options = }); const writeToFs = (relativePath, data) => { + if (/(^|\/)\.\.(\/|$)/.test(relativePath) || relativePath.startsWith('/')) { + throw new Error(`Path traversal detected: ${relativePath}`); + } const split = relativePath.split('/'); let working = '/working/'; for (let f = 0; f < split.length - 1; f++) {