Use file name whitelist to prevent RCE

Browse Source

Summary:
Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack.

This is the same patch I submitted to create-react-app: https://github.com/facebook/create-react-app/pull/4866

See s163726 for more details

Reviewed By: LukasReschke

Differential Revision: D9504148

fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275

...

This commit is contained in:

Andrew Clark 2018-09-04 11:27:17 -07:00 committed by Facebook Github Bot

parent b5d908bc73

commit 9862a77b6a

1 changed files with 31 additions and 0 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31

local-cli/server/util/launchEditor.js

File diff suppressed because one or more lines are too long