fix path traversal in verification plugin

Author: Aniket-Engg

apps/contract-verification/src/app/Verifiers/BlockscoutVerifier.ts

@@ -38,11 +38,11 @@ export class BlockscoutVerifier extends EtherscanVerifier {
     const result: SourceFile[] = []
     const filePrefix = `/${this.LOOKUP_STORE_DIR}/${chainId}/${contractAddress}`
 
-    const targetFilePath = `${filePrefix}/${blockscoutSource.FileName}`
+    const targetFilePath = `${filePrefix}/${blockscoutSource.FileName.startsWith('..') ? blockscoutSource.FileName.replace('../', '') : blockscoutSource.FileName}`
     result.push({ content: blockscoutSource.SourceCode, path: targetFilePath })
 
     for (const additional of blockscoutSource.AdditionalSources ?? []) {
-      result.push({ content: additional.SourceCode, path: `${filePrefix}/${additional.Filename}` })
+      if(!additional.Filename.startsWith('..')) result.push({ content: additional.SourceCode, path: `${filePrefix}/${additional.Filename}` })
     }
 
     return { sourceFiles: result, targetFilePath }

apps/contract-verification/src/app/Verifiers/EtherscanVerifier.ts

@@ -273,11 +273,11 @@ export class EtherscanVerifier extends AbstractVerifier {
         parsedFiles = JSON.parse(source.SourceCode.substring(1, source.SourceCode.length - 1)).sources
       } catch (e) {}
     }
-
     if (parsedFiles) {
       const result: SourceFile[] = []
       let targetFilePath = ''
       for (const [fileName, fileObj] of Object.entries<any>(parsedFiles)) {
+        if (fileName.startsWith('..')) continue
         const path = `${filePrefix}/${fileName}`
 
         result.push({ path, content: fileObj.content })
@@ -288,7 +288,6 @@ export class EtherscanVerifier extends AbstractVerifier {
       }
       return { sourceFiles: result, targetFilePath }
     }
-
     // Parsing to JSON failed, SourceCode is the code itself
     const targetFilePath = `${filePrefix}/${source.ContractName}.sol`
     const sourceFiles: SourceFile[] = [{ content: source.SourceCode, path: targetFilePath }]

apps/contract-verification/src/app/Verifiers/SourcifyV1Verifier.ts

@@ -152,7 +152,7 @@ export class SourcifyV1Verifier extends AbstractVerifier {
         }
       }
 
-      if (filePath) {
+      if (filePath && !filePath.startsWith('..')) {
         result.push({ path: `${filePrefix}/${filePath}`, content: file.content })
       }
 

apps/contract-verification/src/app/Verifiers/SourcifyVerifier.ts

@@ -212,8 +212,8 @@ export class SourcifyVerifier extends AbstractVerifier {
     // Extract contract path from fully qualified name (path can include colons)
     const splitIdentifier = fullyQualifiedName.split(':')
     const contractPath = splitIdentifier.slice(0, -1).join(':')
-
     for (const [filePath, fileData] of Object.entries(sources)) {
+      if (filePath.startsWith('..')) continue
       const path = `${filePrefix}/sources/${filePath}`
       result.push({ path, content: fileData.content })
       if (filePath === contractPath) {