Save source files commands should run inside the jail environment

Question

Save source files commands should run inside the jail environment

Closed this issue 4 years ago · 1 comments

In order to prevent security issues in malicious file paths, the source file creation should run inside a jail environment, where only /sandbox and /tmp directories are writeable. No additional security checks will be necessary.

Answer 1 · 2021-05-11T11:42:42.000Z

Passing the file contents to nsjail.execute command proved to be tricky. One alternative is to save it into a temporary file and then, try to rename it inside the jail environment.
The simplest solution so far is to make save_sources routine stronger by checking for malicious or malformed paths.