nik/signal-cli
1
0
Fork 0
mirror of https://github.com/AsamK/signal-cli.git synced 2026-05-30 15:14:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent attaching files from the signal-cli data directory

Browse Source
This commit is contained in:
AsamK 2026-05-23 13:50:06 +02:00
parent 4601e60118
commit 6da5c37504
2 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/src/main/java/org/asamk/signal/manager/helper/AttachmentHelper.java
View File

@ -34,8 +34,10 @@ public class AttachmentHelper {
private final SignalDependencies dependencies; private final SignalDependencies dependencies;
private final AttachmentStore attachmentStore; private final AttachmentStore attachmentStore;
private final Context context;
public AttachmentHelper(final Context context) { public AttachmentHelper(final Context context) {
this.context = context;
this.dependencies = context.getDependencies(); this.dependencies = context.getDependencies();
this.attachmentStore = context.getAttachmentStore(); this.attachmentStore = context.getAttachmentStore();
} }
@ -92,6 +94,21 @@ public class AttachmentHelper {
final boolean voiceNote final boolean voiceNote
) throws AttachmentInvalidException { ) throws AttachmentInvalidException {
try { try {
// Reject local files that point into the signal-cli data directory
if (attachment != null && !attachment.startsWith("data:")) {
try {
final var file = new File(attachment);
final var canonical = file.getCanonicalFile();
final var dataPath = context.getAccount().getDataPath().getCanonicalFile();
if (canonical.toPath().startsWith(dataPath.toPath())) {
throw new AttachmentInvalidException(attachment,
new IOException("Attaching files from the signal-cli data directory is not allowed"));
}
} catch (IOException e) {
throw new AttachmentInvalidException(attachment, e);
}
}
final var streamDetailsAndFileName = Utils.createStreamDetails(attachment); final var streamDetailsAndFileName = Utils.createStreamDetails(attachment);
final var streamDetails = streamDetailsAndFileName.first(); final var streamDetails = streamDetailsAndFileName.first();
final var uploadSpec = getResumableUploadSpec(streamDetails); final var uploadSpec = getResumableUploadSpec(streamDetails);

4
lib/src/main/java/org/asamk/signal/manager/storage/SignalAccount.java
View File

@ -192,6 +192,10 @@ public class SignalAccount implements Closeable {
this.lock = lock; this.lock = lock;
} }
public File getDataPath() {
return dataPath;
}
public static SignalAccount load( public static SignalAccount load(
File dataPath, File dataPath,
String accountPath, String accountPath,