ExternalVendorCode/gns3-server
1
0
Fork 0
mirror of https://github.com/GNS3/gns3-server.git synced 2025-06-15 05:48:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Clean files and catch file path escape. Ref #1894

Browse Source
This commit is contained in:
grossmj
2021-05-15 22:35:44 +09:30
parent 09ac7fd7fb
commit f3d81fa450
19 changed files with 44 additions and 601 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
gns3server/api/routes/controller/projects.py
View File

@ -44,6 +44,7 @@ from gns3server.controller.controller_error import ControllerError, ControllerFo
from gns3server.controller.import_project import import_project as import_controller_project
from gns3server.controller.export_project import export_project as export_controller_project
from gns3server.utils.asyncio import aiozipstream
from gns3server.utils.path import is_safe_path
from gns3server.config import Config
responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find project"}}
@ -371,7 +372,7 @@ async def get_file(file_path: str, project: Project = Depends(dep_project)) -> F
path = os.path.normpath(file_path).strip("/")
# Raise error if user try to escape
if path[0] == ".":
if not is_safe_path(path, project.path):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
path = os.path.join(project.path, path)
@ -390,7 +391,7 @@ async def write_file(file_path: str, request: Request, project: Project = Depend
path = os.path.normpath(file_path).strip("/")
# Raise error if user try to escape
if path[0] == ".":
if not is_safe_path(path, project.path):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
path = os.path.join(project.path, path)