Skip to content

Prevent path traversal in sqlite file name#929

Closed
benthecarman wants to merge 1 commit into
lightningdevkit:mainfrom
benthecarman:sqlite-path-traviseral
Closed

Prevent path traversal in sqlite file name#929
benthecarman wants to merge 1 commit into
lightningdevkit:mainfrom
benthecarman:sqlite-path-traviseral

Conversation

@benthecarman

@benthecarman benthecarman commented Jun 10, 2026
edited by tnull
Loading

Copy link
Copy Markdown
Contributor

Previously someone could set their db file name to something like ../ldk-node.sqlite and we would accept this as a file path and write the databse in the parent directory. This can cause issues so we now only allow for normal file names. This still does allow for sub dirs, ie setting your db name to mysubdir/ldk-node.sqlite and it'll go into the sub directory mysubdir. I didn't want to disallow this people may be using this today and doesn't seem explicity bad like the parent dir traversal.

This finding was discovered by Project Loupe.

Codex was used to help write this.

@benthecarman
Prevent path traversal in sqlite file name
f4cad09 
Previously someone could set their db file name to something like
`../ldk-node.sqlite` and we would accept this as a file path and write
the databse in the parent directory. This can cause issues so we now
only allow for normal file names. This still does allow for sub dirs, ie
setting your db name to `mysubdir/ldk-node.sqlite` and it'll go into the sub
directory `mysubdir`. I didn't want to disallow this people may be using
this today and doesn't seem explicity bad like the parent dir traversal.

Issue found by project-loupe.

Codex was used to help write this.
@ldk-reviews-bot

ldk-reviews-bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

I've assigned @tnull as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@ldk-reviews-bot ldk-reviews-bot requested a review from tnull June 10, 2026 19:33
@ldk-reviews-bot

ldk-reviews-bot commented Jun 13, 2026

Copy link
Copy Markdown

🔔 1st Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot

ldk-reviews-bot commented Jun 15, 2026

Copy link
Copy Markdown

🔔 2nd Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

tnull
tnull reviewed Jun 15, 2026
View reviewed changes

@tnull tnull left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean configuring SQLite should never be a public-facing API, and we can't guard against all cases of the operator messing up. Closing this as a wontfix, but feel free to reopen if you think this is worth the noise.

@tnull tnull closed this Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tnull tnull tnull left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benthecarman @ldk-reviews-bot @tnull