From ff91300c3973e5aabcfcc51d67e79d6c62ef89f7 Mon Sep 17 00:00:00 2001
From: Sarah Jamie Lewis <sarah@openprivacy.ca>
Date: Wed, 9 Mar 2022 15:52:24 -0800
Subject: [PATCH] Adding extra checks to import tarball profile name

---
 peer/storage.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/peer/storage.go b/peer/storage.go
index 57120ba..68db73b 100644
--- a/peer/storage.go
+++ b/peer/storage.go
@@ -5,6 +5,7 @@ import (
 	"compress/gzip"
 	"crypto/rand"
 	"database/sql"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"git.openprivacy.ca/openprivacy/log"
@@ -238,6 +239,11 @@ func checkCwtchProfileBackupFile(srcFile string) (string, error) {
 			dir := parts[0]
 			profileFileType := parts[1]
 
+			_, hexErr := hex.DecodeString(dir)
+			if dir == "." || dir == ".." || len(dir) !=32 || hexErr != nil {
+				return "", errors.New("invalid profile name")
+			}
+
 			if profileName == "" {
 				profileName = dir
 			}
@@ -293,6 +299,12 @@ func importCwtchProfileBackupFile(srcFile string, profilesDir string) error {
 			}
 			dir := parts[0]
 			base := parts[1]
+
+			_, hexErr := hex.DecodeString(dir)
+			if dir == "." || dir == ".." || len(dir) != 32 || hexErr != nil {
+				return errors.New("invalid profile name")
+			}
+
 			if profileName == "" {
 				profileName = dir
 			}