Incorporate feedbacks from ROS security audit

CHANGELOG.md

@@ -12,6 +12,7 @@ All Sniffnet releases with the relative changes are documented in this file.
   - Ukrainian ([#692](https://github.com/GyulyVGC/sniffnet/pull/692))
 - Show more information when domain name is short ([#720](https://github.com/GyulyVGC/sniffnet/pull/720) — fixes [#696](https://github.com/GyulyVGC/sniffnet/issues/696))
 - Added new themes _A11y (Night)_ and _A11y (Day)_ based on palettes optimized for OLED displays and users with visual impairments ([#708](https://github.com/GyulyVGC/sniffnet/pull/708))
+- Avoid directory traversal when selecting file name for PCAP exports ([#776](https://github.com/GyulyVGC/sniffnet/pull/776) — fixes [#767](https://github.com/GyulyVGC/sniffnet/issues/767))
 - Add icon to window title bar ([#719](https://github.com/GyulyVGC/sniffnet/pull/719) — fixes [#715](https://github.com/GyulyVGC/sniffnet/issues/715))
 - Update footer buttons and links ([#755](https://github.com/GyulyVGC/sniffnet/pull/755) — fixes [#553](https://github.com/GyulyVGC/sniffnet/issues/553))
 - Fix _crates.io_ package for Windows ([#718](https://github.com/GyulyVGC/sniffnet/pull/718) — fixes [#681](https://github.com/GyulyVGC/sniffnet/issues/681))

src/gui/sniffer.rs

@@ -474,7 +474,7 @@ impl Sniffer {
                 self.export_pcap.set_directory(path);
             }
             Message::OutputPcapFile(name) => {
-                self.export_pcap.set_file_name(name);
+                self.export_pcap.set_file_name(&name);
             }
             Message::ToggleThumbnail(triggered_by_resize) => {
                 let window_id = self.id.unwrap_or(Id::unique());

src/gui/types/export_pcap.rs

@@ -13,8 +13,9 @@ impl ExportPcap {
         self.enabled = !self.enabled;
     }
 
-    pub fn set_file_name(&mut self, file_name: String) {
-        self.file_name = file_name;
+    pub fn set_file_name(&mut self, file_name: &str) {
+        // remove forward and backward slashes to avoid directory traversal
+        self.file_name = file_name.replace(['/', '\\'], "");
     }
 
     pub fn set_directory(&mut self, directory: String) {
@@ -91,10 +92,13 @@ mod tests {
         let mut export_pcap = ExportPcap::default();
         assert_eq!(export_pcap.file_name(), "sniffnet.pcap");
 
-        export_pcap.set_file_name("test.pcap".to_string());
+        export_pcap.set_file_name("test.pcap");
         assert_eq!(export_pcap.file_name(), "test.pcap");
 
-        export_pcap.set_file_name("".to_string());
+        export_pcap.set_file_name("./ciao/test\\hello.pcap");
+        assert_eq!(export_pcap.file_name(), ".ciaotesthello.pcap");
+
+        export_pcap.set_file_name("");
         assert_eq!(export_pcap.file_name(), "");
     }
 
@@ -126,7 +130,7 @@ mod tests {
             Some(format!("{dir}sniffnet.pcap",))
         );
 
-        export_pcap.set_file_name("test.pcap".to_string());
+        export_pcap.set_file_name("test.pcap");
         assert_eq!(export_pcap.full_path(), Some(format!("{dir}test.pcap",)));
 
         let mut full_path = PathBuf::from("/tmp");
@@ -150,7 +154,7 @@ mod tests {
         let mut full_path = PathBuf::from("/tmp");
         full_path.push("sniffnet.pcap");
 
-        export_pcap.set_file_name("".to_string());
+        export_pcap.set_file_name("");
         assert_eq!(
             export_pcap.full_path(),
             Some(full_path.to_string_lossy().to_string())