Module: CosmosCompatibility

Included in:

Object

Defined in:

lib/openc3/top_level.rb

Instance Method Summary

• #load(*args) ⇒ Object
• #require(*args) ⇒ Object
• #safe_openc3_path?(filename) ⇒ Boolean

  Validates the filename after cosmos->openc3 transformation.

Instance Method Details

#load(*args) ⇒ Object

# File 'lib/openc3/top_level.rb', line 590

def load(*args)
  filename = args[0]
  if filename.is_a?(String) && filename.start_with?("cosmos/")
    filename = filename.sub(/^cosmos\//, "openc3/")
    unless safe_openc3_path?(filename)
      raise ArgumentError, "Unsafe path in load after cosmos->openc3 transformation: #{filename.inspect}"
    end
    args[0] = filename
  end
  super(*args)
end

#require(*args) ⇒ Object

# File 'lib/openc3/top_level.rb', line 578

def require(*args)
  filename = args[0]
  if filename.is_a?(String) && filename.start_with?("cosmos/")
    filename = filename.sub(/^cosmos\//, "openc3/")
    unless safe_openc3_path?(filename)
      raise ArgumentError, "Unsafe path in require after cosmos->openc3 transformation: #{filename.inspect}"
    end
    args[0] = filename
  end
  super(*args)
end

#safe_openc3_path?(filename) ⇒ Boolean

Validates the filename after cosmos->openc3 transformation

Returns:

• (Boolean)

# File 'lib/openc3/top_level.rb', line 565

def safe_openc3_path?(filename)
  return false unless filename.is_a?(String)
  # Only validate paths that start with "openc3/" (transformed from "cosmos/")
  return true unless filename.start_with?("openc3/")
  # Disallow any ".." or "." path traversal
  return false if filename.include?("..") || filename.include?("./") || filename.include?("/.") || filename.include?("\\") || filename.include?("//")
  # Disallow absolute paths (Unix and Windows)
  return false if filename.start_with?("/") || filename =~ /^[a-zA-Z]:[\\\/]/
  # Disallow special characters (allow word chars, dash, slash, dot)
  return false unless filename =~ /\A[\w\-\/\.]+\z/
  true
end