From e2e3768fe10391bc1d50b197276310ae9da65604 Mon Sep 17 00:00:00 2001
From: Veiko Aasa <veiko17@disroot.org>
Date: Thu, 23 Jul 2020 13:57:01 +0300
Subject: [PATCH] ikiwiki: Validate a path when deleting wiki or blog

I tested that ikiwiki functional tests pass and running the command
`sudo ./actions/ikiwiki delete  --name '../'`
returns an error and does not delete any directory.

Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 actions/ikiwiki | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/actions/ikiwiki b/actions/ikiwiki
index 471297407..6824f85c9 100755
--- a/actions/ikiwiki
+++ b/actions/ikiwiki
@@ -46,6 +46,11 @@ def parse_arguments():
     return parser.parse_args()
 
 
+def _is_safe_path(basedir, path):
+    """Return whether a path is safe."""
+    return os.path.realpath(path).startswith(basedir)
+
+
 def subcommand_setup(_):
     """Perform first time setup operations."""
     setup()
@@ -106,6 +111,11 @@ def subcommand_delete(arguments):
     html_folder = os.path.join(SITE_PATH, arguments.name)
     wiki_folder = os.path.join(WIKI_PATH, arguments.name)
 
+    if not (_is_safe_path(SITE_PATH, html_folder)
+            and _is_safe_path(WIKI_PATH, wiki_folder)):
+        print('Error: {0} is not a correct name.'.format(arguments.name))
+        exit(1)
+
     try:
         shutil.rmtree(html_folder)
         shutil.rmtree(wiki_folder)