mirrors/Mole
1
0
Fork 0
mirror of https://github.com/tw93/Mole.git synced 2026-02-15 01:10:10 +00:00
Code Activity

fix(security): allow Firefox ..files directories in path validation

Browse Source 
Fixes #263

- Change regex from \.\. to (^|/)\.\.(/|$) to only match path components
- Firefox uses ..files suffix in IndexedDB dirs (e.g., name..files)
- Still blocks actual traversal: /tmp/../etc
- Added test cases for Firefox compatibility
- All 16 tests passing
This commit is contained in:
Tw93
2026-01-06 09:51:34 +08:00
parent 3ef44efcf9
commit d3f1cdd834
3 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
SECURITY_AUDIT.md
View File

@@ -291,7 +291,7 @@ bats tests/security.bats # Run specific suite
| Standard | Implementation |
|----------|----------------|
| OWASP Secure Coding | Input validation, least privilege, defense-in-depth |
| CWE-22 (Path Traversal) | Absolute path enforcement, `../` rejection |
| CWE-22 (Path Traversal) | Enhanced detection: rejects `/../` components while allowing `..` in directory names (Firefox compatibility) |
| CWE-78 (Command Injection) | Control character filtering |
| CWE-59 (Link Following) | Symlink detection before privileged operations |
| Apple File System Guidelines | Respects SIP, Read-Only Volumes, TCC |