-
Notifications
You must be signed in to change notification settings - Fork 74
Ensure secrets ID does not contain invalid file name characters #229
Comments
This is technically a valid use of user secrets. Altering this behavior could be a breaking change. |
@natemcmaster Setting the userSecretsId to "../../../../Evil.json" escapes the %AppData% folder, which does not seem to be intended behavior to me. It is in fact a security vulnerability classified as a Directory Traversal. |
Only the app developer can set the There is, however, perhaps a bug here, where maybe there could be more rules about valid user secrets ids. |
We already validate the user id against |
@natemcmaster that does seem reasonable. We of course never intended those to be permitted. |
I wonder if using a |
I'm also fine if we just close this bug 😄 |
Proposed fix aspnet/Configuration#558 |
A quick test showed that I could trick "dotnet user-secrets" to operate outside the defined directory (in the Roaming folder).
By setting the
userSecretsId
property in theproject.json
file to f.ex... the tool now reads in the parent folder to where it normally would operate. This can be extended as necessary to go further up and into other directories, and even to other drives.
The parameter probably shouldn't accept paths in general (just a file name, or exclude elements not allowed in file names).
The text was updated successfully, but these errors were encountered: