Fix the scoreboard zip

vmcj · vmcj · commit 1e6a13026b53 · 2025-10-26T22:56:04.000+01:00
diff --git a/etc/domserver-static.php.in b/etc/domserver-static.php.in
@@ -8,14 +8,15 @@
 define('DOMJUDGE_VERSION', '@DOMJUDGE_VERSION@');
 define('DOMJUDGE_INSTALL_METHOD', '@INSTALL_METHOD@');
 
-define('BINDIR',    '@domserver_bindir@');
-define('ETCDIR',    '@domserver_etcdir@');
-define('WEBAPPDIR', '@domserver_webappdir@');
-define('LIBDIR',    '@domserver_libdir@');
-define('SQLDIR',    '@domserver_sqldir@');
-define('VENDORDIR', '@domserver_webappdir@/vendor');
-define('LOGDIR',    '@domserver_logdir@');
-define('RUNDIR',    '@domserver_rundir@');
-define('TMPDIR',    '@domserver_tmpdir@');
+define('BINDIR',         '@domserver_bindir@');
+define('ETCDIR',         '@domserver_etcdir@');
+define('WEBAPPDIR',      '@domserver_webappdir@');
+define('LIBDIR',         '@domserver_libdir@');
+define('SQLDIR',         '@domserver_sqldir@');
+define('VENDORDIR',      '@domserver_webappdir@/vendor');
+define('NODEMODULESDIR', '@domserver_webappdir@/node_modules');
+define('LOGDIR',         '@domserver_logdir@');
+define('RUNDIR',         '@domserver_rundir@');
+define('TMPDIR',         '@domserver_tmpdir@');
 
-define('BASEURL',   '@BASEURL@');
+define('BASEURL',        '@BASEURL@');
diff --git a/webapp/config/static.yaml.in b/webapp/config/static.yaml.in
@@ -9,6 +9,7 @@ parameters:
     domjudge.libdir: @domserver_libdir@
     domjudge.sqldir: @domserver_sqldir@
     domjudge.vendordir: @domserver_webappdir@/vendor
+    domjudge.nodemodulesdir: @domserver_webappdir@/node_modules
     domjudge.logdir: @domserver_logdir@
     domjudge.rundir: @domserver_rundir@
     domjudge.tmpdir: @domserver_tmpdir@
diff --git a/webapp/src/Service/DOMJudgeService.php b/webapp/src/Service/DOMJudgeService.php
@@ -114,6 +114,8 @@ public function __construct(
         protected string $projectDir,
         #[Autowire('%domjudge.vendordir%')]
         protected string $vendorDir,
+        #[Autowire('%domjudge.nodemodulesdir%')]
+        protected string $nodeModulesDir,
         #[Autowire('%domjudge.version%')]
         protected readonly string $domjudgeVersion,
         #[Autowire('%domjudge.installmethod%')]
@@ -1571,8 +1573,9 @@ public function getScoreboardZip(
             if ($filepath === false) {
                 throw new BadRequestHttpException("Could not find (symlinked) file: " . $file);
             }
-            if (!str_starts_with($filepath, $publicPath) &&
-                !str_starts_with($filepath, $this->vendorDir)
+            if (!(str_starts_with($filepath, $publicPath) ||
+                  str_starts_with($filepath, $this->vendorDir) ||
+                  str_starts_with($filepath, $this->nodeModulesDir))
             ) {
                 // Path outside of known good dirs: path traversal
                 continue;
