refactor: improve input handling in FilePath gin converter (#50549)

refactor: improve input handling in file_path_converter Properly handle paths containing ASCII control characters in the FilePath gin converter Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com> Co-authored-by: Keeley Hammond <vertedinde@electronjs.org>
2026-04-10 03:01:51 -04:00 · 2026-03-27 21:52:45 +00:00
parent ca65bad6a9
commit a086fc7b96
2 changed files with 10 additions and 0 deletions
--- a/shell/common/gin_converters/file_path_converter.h
+++ b/shell/common/gin_converters/file_path_converter.h
@@ -5,6 +5,8 @@
 #ifndef ELECTRON_SHELL_COMMON_GIN_CONVERTERS_FILE_PATH_CONVERTER_H_
 #define ELECTRON_SHELL_COMMON_GIN_CONVERTERS_FILE_PATH_CONVERTER_H_

+#include <algorithm>
+
 #include "base/files/file_path.h"
 #include "gin/converter.h"
 #include "shell/common/gin_converters/std_converter.h"
@@ -30,6 +32,11 @@ struct Converter<base::FilePath> {

    base::FilePath::StringType path;
    if (Converter<base::FilePath::StringType>::FromV8(isolate, val, &path)) {
+      bool has_control_chars = std::any_of(
+          path.begin(), path.end(),
+          [](base::FilePath::CharType c) { return c >= 0 && c < 0x20; });
+      if (has_control_chars)
+        return false;
      *out = base::FilePath(path);
      return true;
    } else {
--- a/shell/common/gin_converters/net_converter.cc
+++ b/shell/common/gin_converters/net_converter.cc
@@ -607,6 +607,9 @@ bool Converter<scoped_refptr<network::ResourceRequestBody>>::FromV8(
      const std::string* file = dict.FindString("filePath");
      if (!file)
        return false;
+      if (std::any_of(file->begin(), file->end(),
+                      [](char c) { return c >= 0 && c < 0x20; }))
+        return false;
      double modification_time =
          dict.FindDouble("modificationTime").value_or(0.0);
      int offset = dict.FindInt("offset").value_or(0);