From 7e45343f81407699f765b26ea6df780f62022240 Mon Sep 17 00:00:00 2001
From: Mark Felder <feld@feld.me>
Date: Fri, 4 Aug 2023 11:34:19 +0100
Subject: [PATCH] Resolve information disclosure vulnerability through emoji
 pack archive download endpoint

---
 lib/pleroma/emoji/pack.ex        | 1 +
 test/pleroma/emoji/pack_test.exs | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/lib/pleroma/emoji/pack.ex b/lib/pleroma/emoji/pack.ex
index f9b47a26b..5228b8cb7 100644
--- a/lib/pleroma/emoji/pack.ex
+++ b/lib/pleroma/emoji/pack.ex
@@ -287,6 +287,7 @@ defmodule Pleroma.Emoji.Pack do
 
   @spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
   def load_pack(name) do
+    name = Path.basename(name)
     pack_file = Path.join([emoji_path(), name, "pack.json"])
 
     with {:ok, _} <- File.stat(pack_file),
diff --git a/test/pleroma/emoji/pack_test.exs b/test/pleroma/emoji/pack_test.exs
index 48a38a9a4..e3d3b2177 100644
--- a/test/pleroma/emoji/pack_test.exs
+++ b/test/pleroma/emoji/pack_test.exs
@@ -90,4 +90,8 @@ defmodule Pleroma.Emoji.PackTest do
 
     assert updated_pack.files_count == 1
   end
+
+  test "load_pack/1 ignores path traversal in a forged pack name", %{pack: pack} do
+    assert {:ok, ^pack} = Pack.load_pack("../../../../../dump_pack")
+  end
 end