git:master:6cc8f126: app_jsdt: length checks for resolving js module path - sr-dev

20 Nov 2023

Module: kamailio
Branch: master
Commit: 6cc8f126391476a05f8d90a35d6d57eec7c4e8d8
URL: https://github.com/kamailio/kamailio/commit/6cc8f126391476a05f8d90a35d6d57ee...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2023-11-20T09:43:15+01:00
app_jsdt: length checks for resolving js module path
---
Modified: src/modules/app_jsdt/app_jsdt_api.c
---
Diff:  https://github.com/kamailio/kamailio/commit/6cc8f126391476a05f8d90a35d6d57ee...
Patch: https://github.com/kamailio/kamailio/commit/6cc8f126391476a05f8d90a35d6d57ee...
---

diff --git a/src/modules/app_jsdt/app_jsdt_api.c b/src/modules/app_jsdt/app_jsdt_api.c
index 8ad015c89d9..68dc38f1b23 100644
--- a/src/modules/app_jsdt/app_jsdt_api.c
+++ b/src/modules/app_jsdt/app_jsdt_api.c
@@ -1072,23 +1072,42 @@ duk_ret_t cb_resolve_module(duk_context *JJ)
    const char *parent_id = duk_get_string(JJ, 1);
char requested_path[PATH_MAX];
+	char resolved_id[PATH_MAX];
+	char *ptr = NULL;
+
+	if(requested_id == NULL) {
+		return duk_generic_error(JJ, "Invalid parameter");
+	}
+	if(strlen(requested_id) >= PATH_MAX) {
+		return duk_generic_error(JJ, "Parameter too long");
+	}
+	requested_path[0] = '\0';
    if(requested_id[0] == '/') {
    	// absolute
    	strcpy(requested_path, requested_id);
    } else if(strncmp(requested_id, "./", 2)
    		  || strncmp(requested_id, "../", 3)) {
-		if(strlen(parent_id)) {
+		if(parent_id != NULL && strlen(parent_id) > 0) {
+			if(strlen(parent_id) >= PATH_MAX) {
+				return duk_generic_error(JJ, "Second parameter too long");
+			}
    		// relative to parent
    		strcpy(requested_path, parent_id);
    	} else {
+			if(strlen(_sr_jsdt_load_file.s) >= PATH_MAX) {
+				return duk_generic_error(JJ, "Load file path too long");
+			}
    		// no parent so relative to jsdt_load_file
    		strcpy(requested_path, _sr_jsdt_load_file.s);
    	}
-		char *ptr = strrchr(requested_path, '/');
+		ptr = strrchr(requested_path, '/');
    	if(ptr) {
    		ptr++;
    		*ptr = '\0';
    	}
+		if(strlen(requested_path) + strlen(requested_id) >= PATH_MAX) {
+			return duk_generic_error(JJ, "Path too long");
+		}
    	strcat(requested_path, requested_id);
    } else {
    	LM_INFO("cb_resolve_module - TODO resolve pathless module names");
@@ -1096,9 +1115,11 @@ duk_ret_t cb_resolve_module(duk_context *JJ)
    }
    // if missing add .js ext
    if(strcmp(strrchr(requested_path, '\0') - 3, ".js")) {
+		if(strlen(requested_path) + 3 >= PATH_MAX) {
+			return duk_generic_error(JJ, "Path too long");
+		}
    	strcat(requested_path, ".js");
    }
-	char resolved_id[PATH_MAX];
    if(realpath(requested_path, resolved_id)) {
    	duk_push_string(JJ, resolved_id);
    	return 1; /*nrets*/

    