Merge pull request #9 from Puneet-Minhas/security-fixes

Puneet-Minhas · web-flow · commit 4d98e3ff79d7 · 2024-09-11T13:34:10.000+01:00
Security fixes
diff --git a/.github/workflows/reusable-cd.yml b/.github/workflows/reusable-cd.yml
@@ -18,7 +18,7 @@ jobs:
         id-token: write
       environment:
         name: ${{ inputs.environment }}
-        url: "https://techexcel-${{ inputs.environment }}.azurewebsites.net/"
+        url: "https://ghwxvgb4jngfa-${{ inputs.environment }}.azurewebsites.net/"
       steps:
         - uses: azure/login@v2.1.1
           with:
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,4 @@
 
 .DS_Store
+ # Local configuration file for developers
+ src/Application/src/RazorPagesTestSample/config.json
diff --git a/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs b/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs
@@ -92,10 +92,16 @@ public async Task<IActionResult> OnPostAnalyzeMessagesAsync()
             return RedirectToPage();
         }
 
-        public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
-        {
-            string destFileName = Path.Combine(destDirectory, entry.FullName);
-            entry.ExtractToFile(destFileName);
-        }
+     
+        
+ public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
+ {
+     string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));
+     string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);
+     if (!destFileName.StartsWith(fullDestDirPath)) {
+         throw new System.InvalidOperationException("Entry is outside the target dir: " + destFileName);
+     }
+     entry.ExtractToFile(destFileName);
+ }
     }
 }
diff --git a/src/Application/src/RazorPagesTestSample/config.json b/src/Application/src/RazorPagesTestSample/config.json
diff --git a/src/Application/tests/RazorPagesTestSample.Tests/RazorPagesTestSample.Tests.csproj b/src/Application/tests/RazorPagesTestSample.Tests/RazorPagesTestSample.Tests.csproj
@@ -13,7 +13,7 @@
     <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="8.0.3" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
     <PackageReference Include="Moq" Version="4.20.70" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="System.Diagnostics.TraceSource" Version="4.3.0" />
     <PackageReference Include="System.Net.Http" Version="4.3.4" />
     <PackageReference Include="xunit" Version="2.7.0" />

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,4 @@`
`1`	`1`
`2`	`2`	`.DS_Store`
	`3`	`+ # Local configuration file for developers`
	`4`	`+ src/Application/src/RazorPagesTestSample/config.json`