ExternalVendorCode/gns3-server
1
0
Fork 0
mirror of https://github.com/GNS3/gns3-server.git synced 2025-06-13 04:48:22 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Clean files and catch file path escape. Ref #1894

Browse Source
This commit is contained in:
grossmj
2021-05-15 22:35:44 +09:30
parent 09ac7fd7fb
commit f3d81fa450
19 changed files with 44 additions and 601 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
gns3server/api/routes/compute/projects.py
View File

@ -32,6 +32,7 @@ from uuid import UUID
from gns3server.compute.project_manager import ProjectManager
from gns3server.compute.project import Project
from gns3server.utils.path import is_safe_path
from gns3server import schemas
@ -200,7 +201,7 @@ async def get_compute_project_file(file_path: str, project: Project = Depends(de
path = os.path.normpath(file_path)
# Raise error if user try to escape
if path[0] == ".":
if not is_safe_path(path, project.path):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
path = os.path.join(project.path, path)
@ -216,7 +217,7 @@ async def write_compute_project_file(file_path: str, request: Request, project:
path = os.path.normpath(file_path)
# Raise error if user try to escape
if path[0] == ".":
if not is_safe_path(path, project.path):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
path = os.path.join(project.path, path)