fix(smb): add path sanitization helper and apply to download_folder

Marshall-Hallenbeck · Marshall-Hallenbeck · commit 5932bce690d4 · 2026-04-27T12:23:46.000-04:00
diff --git a/nxc/helpers/path.py b/nxc/helpers/path.py
@@ -0,0 +1,13 @@
+from pathlib import PurePosixPath
+
+
+def sanitize_filename(name: str) -> str:
+    """Strip path traversal components from an SMB filename.
+
+    Follows the pattern from spider_plus.py — filters '..' and '.' from
+    PurePosixPath.parts to prevent directory traversal attacks from
+    malicious SMB servers.
+    """
+    parts = PurePosixPath(name.replace("\\", "/")).parts
+    clean = [p for p in parts if p not in ("..", ".", "/")]
+    return str(PurePosixPath(*clean)) if clean else ""
diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py
@@ -4,6 +4,9 @@
 import re
 import struct
 import ipaddress
+from pathlib import Path
+
+from nxc.helpers.path import sanitize_filename
 from Cryptodome.Hash import MD4
 from textwrap import dedent
 
@@ -2012,7 +2015,10 @@ def download_folder(self, folder, dest, recursive=False, silent=False, base_dir=
             self.logger.display(f"Created empty directory '{local_folder_path}'")
 
         for item in filtered_items:
-            item_name = item.get_longname()
+            item_name = sanitize_filename(item.get_longname())
+            if not item_name:
+                self.logger.fail(f"Path traversal detected in '{item.get_longname()}', skipping")
+                continue
             dir_path = ntpath.normpath(ntpath.join(normalized_folder, item_name))
             self.logger.debug(f"Parsing item: {item_name}, {dir_path}")
 
@@ -2022,6 +2028,11 @@ def download_folder(self, folder, dest, recursive=False, silent=False, base_dir=
             elif not item.is_directory():
                 remote_file_path = ntpath.join(folder, item_name)
                 local_file_path = os.path.join(local_folder_path, item_name)
+                # Defense-in-depth: verify path stays under destination
+                resolved = Path(local_file_path).resolve()
+                if not str(resolved).startswith(str(Path(dest).resolve()) + os.sep):
+                    self.logger.fail(f"Path traversal detected in '{item_name}', skipping")
+                    continue
                 self.logger.debug(f"{dest=} {remote_file_path=} {relative_path=} {local_folder_path=} {local_file_path=}")
 
                 try:
