# [security] fix(project): confine project deletion to dir.projects #25830 ## Vulnerability Overview This PR fixes a security vulnerability in the Radare2 project deletion process. The vulnerability allows an attacker to craft a malicious path so that the project deletion operation escapes the configured `dir.projects` root directory, thereby recursively deleting arbitrary directories. ## Impact Scope - **Impact**: Local destructive deletion; an attacker can choose any directory containing a project marker file and recursively delete its contents. - **Severity**: High - **CVSS v3.1**: 7.1 High - **Vector**: `AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H` ## Fix Solution - Add explicit boundary checks in the `r_core_project_delete()` function to ensure the deletion target is within `dir.projects`. - Use normalized absolute paths for boundary checks to prevent path traversal attacks. - Retain legitimate absolute path deletion functionality as long as the project files remain inside `dir.projects`. - Add regression tests covering both rejection and allowance cases. ## Exploit Code ```bash # 1. Create a directory outside dir.projects mkdir /tmp/rz2-project-delete-absolute-path/ # 2. Place marker file echo "r2 radb project file" > /tmp/rz2-project-delete-absolute-path/rc.r2 # 3. Run radare2 with a different project root directory radare2 -e dir.projects=/tmp/ # 4. Execute delete command P /tmp/rz2-project-delete-absolute-path/rc.r2 # 5. Verify result # In vulnerable code, the directory will be deleted. # In patched code, radare2 will reject the deletion and the directory remains unchanged. ``` ## References - [GitHub Issue #25830](https://github.com/radareorg/radare2/issues/25830)