Don't trust comments
Really straight forward bug, NimForums
uses the rather feature-full Restructured Text (RST) format for its user-generated content, which has an include
directive that can be used to include local files. What is atleast slightly interesting here is that the code authors seemed aware of the potential vulnerabilities and included a couple comments in relevant code:
The proc is meant to be used in online environments without access to a meaningful filesystem, and therefore rst include like directives won’t work. And in
myFindFile
another comment indicates: we don’t find any files in online mode: Despite these reassuring comments, the include directive works just fine and files will be found and included. Making matters a bit worse, even an admin who was aware of these risks from RST and who might have disabled the include directive, might have missed the fact that the code-blocks directive was customized to also include files.
I think this is just a nice example of how developers may not always reflect the ground truth of the code they are in. It might be that the code changed since the comment was written or that the intent of the first comment was prescriptive (don’t use when there is access to a meaningful filesystem) rather than descriptive (it won’t access the filesystem).