Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,3 +70,8 @@
**Vulnerability:** Weak random number generation using `Math.random()`.
**Learning:** `Math.random()` is not cryptographically secure, which could lead to predictable outcomes in simulation generation or terrain seeding.
**Prevention:** Use `window.crypto.getRandomValues()` instead of `Math.random()` to ensure strong random number generation for security or unpredictability.

## 2026-06-29 - [Zip Slip Path Traversal]
**Vulnerability:** Path traversal (Zip Slip) vulnerability in file download handling.
**Learning:** Writing files directly to the MuJoCo WASM virtual filesystem (`mujoco.FS.writeFile`) using paths sourced from external/downloaded files (like `files.json`) without validation allows malicious paths (e.g., `../` or `/`) to write outside the intended working directory.
**Prevention:** Always validate relative paths to prevent directory traversal by checking against regex like `/(^|\/)\.\.(\/|$)/` and checking for absolute paths (`startsWith('/')`) before performing file system operations.
3 changes: 3 additions & 0 deletions src/simulation/mujocoUtils.js
Original file line number Diff line number Diff line change
Expand Up @@ -753,6 +753,9 @@ export async function downloadExampleScenesFolder(mujoco, onProgress, options =
});

const writeToFs = (relativePath, data) => {
if (/(^|\/)\.\.(\/|$)/.test(relativePath) || relativePath.startsWith('/')) {
throw new Error(`Path traversal detected: ${relativePath}`);
}
const split = relativePath.split('/');
let working = '/working/';
for (let f = 0; f < split.length - 1; f++) {
Expand Down
Loading