Protect controller and compute about path outside project directory

Fix #503
2025-06-13 04:48:22 +00:00 · 2016-05-11 15:59:32 +02:00
parent 390401000f
commit c2da568543
4 changed files with 75 additions and 1 deletions
--- a/gns3server/utils/path.py
+++ b/gns3server/utils/path.py
@ -0,0 +1,39 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2016 GNS3 Technologies Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import aiohttp
+
+from ..config import Config
+
+
+def check_path_allowed(path):
+    """
+    If the server is non local raise an error if
+    the path is outside project directories
+
+    Raise a 403 in case of error
+    """
+
+    config = Config.instance().get_section_config("Server")
+    project_directory = config.get("project_directory")
+
+    if len(os.path.commonprefix([project_directory, path])) == len(project_directory):
+        return
+
+    if config.getboolean("local") is False:
+        raise aiohttp.web.HTTPForbidden(text="The path is not allowed")