Fixed path traversal report on huntr: 3cf80890-2d8a-4fc7-8e0e-6d4bf648b3ea

2025-02-21 01:31:20 +00:00 · 2024-09-17 01:24:23 +02:00 · 2024-09-17 01:24:23 +02:00 · 542e0273a1
commit 542e0273a1
parent c85644bf64
2 changed files with 3 additions and 2 deletions
--- a/endpoints/lollms_apps.py
+++ b/endpoints/lollms_apps.py
@ -591,7 +591,8 @@ def run_server(app_path: Path):
@router.post("/apps/start_server")
 async def start_app_server(request: OpenFolderRequest):
    check_access(lollmsElfServer, request.client_id)
-    app_path = lollmsElfServer.lollms_paths.apps_zoo_path / request.app_name
+    app_name = sanitize_path(request.app_name)
+    app_path = lollmsElfServer.lollms_paths.apps_zoo_path / app_name
    
    if not app_path.exists():
        raise HTTPException(status_code=404, detail="App not found")
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 04500070eba0729a40c45b17e42a6c6089b29549
+Subproject commit 676c80f825f93b96bca37fefb6744e7b82df3851