snippet-library Fixed issue where forward slashes and dots were not being removed from user inputted filenames

Fixed issue where forward slashes and dots were not being removed from user inputted filenames

Open veryspry opened this issue 2 years ago • 6 comments

Context

⛑️ Ticket(s): https://secure.helpscout.net/conversation/1994083346/38231?folderId=6987275

Summary

We were not removing "/" or "." chars from new file names inputted by users in the gw-gravity-forms-rename-uploaded-files.php snippet.

The result is that users could ultimately manipulate the directory which a file was uploaded to which is insecure.

Sep 05 '22 14:09 veryspry

Leaving the technical review to @claygriffiths but I did want to mention that whatever changes we make here will need to be duplicated in the upcoming perk. Here's a good card to keep track of this: https://www.notion.so/gravitywiz/GPFR-1-0-Final-Push-45fcd50d90934a8d806bb96e6317b2a5

Sep 06 '22 13:09 spivurno

We're just waiting on the customer to confirm this works for them before merging! They are on holiday now and will test on their return

Sep 27 '22 09:09 veryspry

The customer confirmed this is working correctly for them. @claygriffiths can I get a review when you have some time? :smile:

Oct 06 '22 17:10 veryspry

Hmmm, looks like phpcs is complaining about an unrelated file :thinking:

Oct 06 '22 17:10 veryspry

Fails

:no_entry_sign:
Pull request title does match the correct format. The Pull Request title should match our Snippet Library Pull Request Title Guidelines in Notion.

:no_entry_sign: Pull request title needs to end in a period or exclamation.

:no_entry_sign: Commit message 'Fixed issue where forward slashes and dots were not being removed from user inputted filenames' does match the correct format. See our Snippet Library Commit Messages Guidelines in Notion.

:no_entry_sign: Commit message 'Fixed issue where forward slashes and dots were not being removed from user inputted filenames' needs to end in a period or exclamation.

:no_entry_sign: Commit message 'Readded clean method to the rename-uploaded-file snippet for backwards compat' does match the correct format. See our Snippet Library Commit Messages Guidelines in Notion.

:no_entry_sign: Commit message 'Readded clean method to the rename-uploaded-file snippet for backwards compat' needs to end in a period or exclamation.

	Fails
:no_entry_sign:	Pull request title does match the correct format. The Pull Request title should match our Snippet Library Pull Request Title Guidelines in Notion.
:no_entry_sign:	Pull request title needs to end in a period or exclamation.
:no_entry_sign:	Commit message 'Fixed issue where forward slashes and dots were not being removed from user inputted filenames' does match the correct format. See our Snippet Library Commit Messages Guidelines in Notion.
:no_entry_sign:	Commit message 'Fixed issue where forward slashes and dots were not being removed from user inputted filenames' needs to end in a period or exclamation.
:no_entry_sign:	Commit message 'Readded clean method to the rename-uploaded-file snippet for backwards compat' does match the correct format. See our Snippet Library Commit Messages Guidelines in Notion.
:no_entry_sign:	Commit message 'Readded clean method to the rename-uploaded-file snippet for backwards compat' needs to end in a period or exclamation.

Generated by :no_entry_sign: dangerJS against d933bb34700da4b7321780c1e16fa03203706a9e

Oct 06 '22 17:10 github-actions[bot]

The user confirmed that this works correctly :+1:

@claygriffiths or @saifsultanc I'd love a review when one of you has time!

Oct 07 '22 20:10 veryspry

snippet-library snippet-library copied to clipboard

Fixed issue where forward slashes and dots were not being removed from user inputted filenames

Context

Summary

snippet-library
snippet-library copied to clipboard