From 8f35b2ef714feea116bd192ae5df6424cb49fb4a Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
<119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Tue, 16 Sep 2025 16:05:48 +0000
Subject: [PATCH] fix(security): autofix Path traversal attack possible
---
mRemoteNG/Themes/ThemeSerializer.cs | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/mRemoteNG/Themes/ThemeSerializer.cs b/mRemoteNG/Themes/ThemeSerializer.cs
index b483e2f1..cdd99293 100644
--- a/mRemoteNG/Themes/ThemeSerializer.cs
+++ b/mRemoteNG/Themes/ThemeSerializer.cs
@@ -16,6 +16,10 @@ namespace mRemoteNG.Themes
///
public static void SaveToXmlFile(ThemeInfo themeToSave, ThemeInfo baseTheme)
{
+ if (baseTheme.URI == null || baseTheme.URI.Contains("../") || baseTheme.URI.Contains(@"..\"))
+ throw new ArgumentException("Invalid file path");
+ if (themeToSave.Name == null || themeToSave.Name.Contains("../") || themeToSave.Name.Contains(@"..\"))
+ throw new ArgumentException("Invalid file path");
string oldURI = baseTheme.URI;
string directoryName = Path.GetDirectoryName(oldURI);
string toSaveURI = directoryName + Path.DirectorySeparatorChar + themeToSave.Name + ".vstheme";
@@ -34,6 +38,8 @@ namespace mRemoteNG.Themes
///
public static void UpdateThemeXMLValues(ThemeInfo themeToUpdate)
{
+ if (themeToUpdate.URI == null || themeToUpdate.URI.Contains("../") || themeToUpdate.URI.Contains(@"..\"))
+ throw new ArgumentException("Invalid file path");
byte[] bytesIn = File.ReadAllBytes(themeToUpdate.URI);
MremoteNGPaletteManipulator manipulator = new(bytesIn, themeToUpdate.ExtendedPalette);
byte[] bytesOut = manipulator.mergePalette(themeToUpdate.ExtendedPalette);
@@ -48,6 +54,8 @@ namespace mRemoteNG.Themes
///
public static ThemeInfo LoadFromXmlFile(string filename, ThemeInfo defaultTheme = null)
{
+ if (filename == null || filename.Contains("../") || filename.Contains(@"..\"))
+ throw new ArgumentException("Invalid file path");
byte[] bytes = File.ReadAllBytes(filename);
//Load the dockpanel part
MremoteNGThemeBase themeBaseLoad = new(bytes);