You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Doc Kit 0.5 now uses an additional regex charclass_files_strict to try to avoid writing to out-of-scope output paths on the user's machine. However, it does not quite protect against enough cases. ../ is caught at the beginning of the string but will not be caught, e.g. after a leading ./ or within some/path/../../../../../now/we/are/very/far/up.
There may be other issues I did not think about.
For the input paths, we use charclass_files_relaxed and that intentionally allows a leading ../, however, even there, we still should not allow e.g. ../../ because then we're outside the repo and it does not make sense anymore.
Doc Kit 0.5 now uses an additional regex
charclass_files_strictto try to avoid writing to out-of-scope output paths on the user's machine. However, it does not quite protect against enough cases.../is caught at the beginning of the string but will not be caught, e.g. after a leading./or withinsome/path/../../../../../now/we/are/very/far/up.There may be other issues I did not think about.
For the input paths, we use
charclass_files_relaxedand that intentionally allows a leading../, however, even there, we still should not allow e.g.../../because then we're outside the repo and it does not make sense anymore.