dali/bacnet_stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bugfix/validate-user-provided-file-object-paths (#1197)

Browse Source 
* Fixed BACnet file object path name unintended path traversals by optionally restricting path name content with BACNET_FILE_PATH_RESTRICTED define.

* Added POSIX file path name checking for AtomicReadFile and AtomicWriteFile example applications. Prohibits use of relative and absolute file paths when BACNET_FILE_PATH_RESTRICTED is non-zero.
This commit is contained in:
Steve Karg
2026-01-05 11:19:52 -06:00
committed by GitHub
parent 715e45eb5c
commit c5dc00a77b
11 changed files with 151 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
test/bacnet/basic/sys/filename/src/main.c
+48 -1
View File
@@ -27,6 +27,7 @@ static void testFilename(void)
const char *data3 = "c:\\Program Files\\Christopher\\run.exe";
const char *data4 = "//Mary/data/run";
const char *data5 = "bin\\run";
const char *data6 = "run.exe";
const char *filename = NULL;
filename = filename_remove_path(data1);
@@ -39,9 +40,53 @@ static void testFilename(void)
zassert_equal(strcmp("run", filename), 0, NULL);
filename = filename_remove_path(data5);
zassert_equal(strcmp("run", filename), 0, NULL);
filename = filename_remove_path(data6);
zassert_equal(strcmp("run.exe", filename), 0, NULL);
return;
}
#if defined(CONFIG_ZTEST_NEW_API)
ZTEST(filename_tests, testFilenameValid)
#else
static void testFilenameValid(void)
#endif
{
const char *data0 = "";
const char *data1 = "c:\\Joshua\\run";
const char *data2 = "/home/Anna/run";
const char *data3 = "c:\\Program Files\\Christopher\\run.exe";
const char *data4 = "//Mary/data/run";
const char *data5 = "bin\\\\run";
const char *data6 = "bin/./run";
const char *data7 = "bin/../run";
const char *data_valid = "certs/mycert.pem";
bool valid = false;
valid = filename_path_valid(NULL);
zassert_false(valid, NULL);
valid = filename_path_valid(data0);
zassert_false(valid, NULL);
valid = filename_path_valid(data1);
zassert_false(valid, NULL);
valid = filename_path_valid(data2);
zassert_false(valid, NULL);
valid = filename_path_valid(data3);
zassert_false(valid, NULL);
valid = filename_path_valid(data4);
zassert_false(valid, NULL);
valid = filename_path_valid(data5);
zassert_false(valid, NULL);
valid = filename_path_valid(data6);
zassert_false(valid, NULL);
valid = filename_path_valid(data7);
zassert_false(valid, NULL);
valid = filename_path_valid(data_valid);
zassert_true(valid, NULL);
return;
}
/**
* @}
*/
@@ -51,7 +96,9 @@ ZTEST_SUITE(filename_tests, NULL, NULL, NULL, NULL, NULL);
#else
void test_main(void)
{
ztest_test_suite(filename_tests, ztest_unit_test(testFilename));
ztest_test_suite(
filename_tests, ztest_unit_test(testFilename),
ztest_unit_test(testFilenameValid));
ztest_run_test_suite(filename_tests);
}