ExternalVendorCode/gns3-server
1
0
Fork 0
mirror of https://github.com/GNS3/gns3-server.git synced 2025-06-22 16:59:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Change method to prevent forbidden directory traversal. Ref #1894

Browse Source
This commit is contained in:
grossmj
2021-05-16 14:29:56 +09:30
parent f3d81fa450
commit 2bf16f1e5f
8 changed files with 104 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
gns3server/utils/path.py
View File

@ -17,6 +17,7 @@
import os
from pathlib import Path
from fastapi import HTTPException, status
from ..config import Config
@ -37,15 +38,14 @@ def get_default_project_directory():
return path
def is_safe_path(file_path, directory):
def is_safe_path(file_path: str, basedir: str) -> bool:
"""
Check that file path is safe.
(the file is stored inside directory or one of its sub-directory)
"""
requested_path = os.path.abspath(file_path)
common_prefix = os.path.commonprefix([requested_path, directory])
return common_prefix != directory
test_path = (Path(basedir) / file_path).resolve()
return Path(basedir).resolve() in test_path.resolve().parents
def check_path_allowed(path):