lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity

fix: node names not DIDs, file sharing path validation, sync results

Browse Source 
- nodeName() shows friendly "Node-XXXX" instead of truncated DID
- nodeNameFromDid() for sync results lookup
- Map labels use node names
- Content filename validation: allow / for subdirectories (Music/song.mp3)
  but still block .., \, null bytes, hidden files, absolute paths
- Increased filename max length to 512 for paths with subdirectories

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-19 20:35:41 +00:00
parent 12679b77b7
commit 93aaeb4abe
2 changed files with 31 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
core/archipelago/src/api/rpc/content.rs
View File

@@ -35,15 +35,21 @@ impl RpcHandler {
.get("filename")
.and_then(|v| v.as_str())
.ok_or_else(|| anyhow::anyhow!("Missing filename"))?;
// Validate filename: prevent path traversal, hidden files, and excessive length
if filename.contains("..") || filename.contains('\0') || filename.contains('/') || filename.contains('\\') {
// Validate filename: prevent path traversal and null bytes
// Allow forward slashes for subdirectories (e.g., "Music/song.mp3")
if filename.contains("..") || filename.contains('\0') || filename.contains('\\') {
anyhow::bail!("Invalid filename: path traversal not allowed");
}
if filename.starts_with('.') {
anyhow::bail!("Invalid filename: hidden files not allowed");
// Reject paths starting with / (absolute) or . (hidden)
if filename.starts_with('/') || filename.starts_with('.') {
anyhow::bail!("Invalid filename: absolute paths and hidden files not allowed");
}
if filename.is_empty() || filename.len() > 255 {
anyhow::bail!("Invalid filename: must be 1-255 characters");
// Reject any path segment starting with . (hidden dirs)
if filename.split('/').any(|seg| seg.starts_with('.') || seg.is_empty()) {
anyhow::bail!("Invalid filename: hidden files/dirs or empty segments not allowed");
}
if filename.is_empty() || filename.len() > 512 {
anyhow::bail!("Invalid filename: must be 1-512 characters");
}
let mime_type = params
.get("mime_type")