Skip to content

confine tokenVocab lookup to the search directory#4942

Open
digi-scrypt wants to merge 1 commit into
antlr:devfrom
digi-scrypt:tokenvocab-path-traversal
Open

confine tokenVocab lookup to the search directory#4942
digi-scrypt wants to merge 1 commit into
antlr:devfrom
digi-scrypt:tokenvocab-path-traversal

Conversation

@digi-scrypt

Copy link
Copy Markdown
  1. tokenVocab is a grammar option whose value can be any string literal, and getImportedVocabFile concatenates it straight onto the lib/output/grammar directory, so '../../foo' resolves the .tokens file outside that directory and load() reads it.
  2. each candidate is now accepted only when its canonical path stays inside the resolved search directory, and the final fallback is confined to the directory's own file name.

what happens if someone points tokenVocab at a subfolder under -lib? the canonical check still allows real descendants, it only drops the ones that climb out with .. or an absolute path. left the existing CANNOT_FIND_TOKENS_FILE path to report the confined miss so the message is unchanged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant