Skip to content

Commit

Permalink
🔒 prevent path traversal
Browse files Browse the repository at this point in the history
  • Loading branch information
Wytamma committed Mar 1, 2024
1 parent f636b22 commit 056e14b
Show file tree
Hide file tree
Showing 10 changed files with 35 additions and 18 deletions.
13 changes: 11 additions & 2 deletions backend/beastiary/api/endpoints/explorer.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ class File(BaseModel):
class Dir(BaseModel):
path: str
parent: str
is_root: bool
files: List[File]


Expand All @@ -26,8 +27,15 @@ def list_directory(path: Optional[str] = None) -> dict:
"""
List the folders/files in a diretory
"""
cwd = os.getcwd()
if not path:
path = os.path.abspath(os.getcwd())
path = os.path.abspath(cwd)
# check it path is cwd or child of cwd
if path and not os.path.abspath(path).startswith(cwd):
path = os.path.abspath(cwd)
# make path relative to cwd
path = os.path.relpath(path, cwd)
print(path)
files = [
{
"name": name,
Expand All @@ -43,7 +51,8 @@ def list_directory(path: Optional[str] = None) -> dict:

directory = {
"path": path,
"parent": str(Path(path).parent.absolute()),
"parent": str(Path(path).parent),
"files": sorted_folders,
"is_root": path == ".",
}
return directory
7 changes: 6 additions & 1 deletion backend/beastiary/api/endpoints/traces.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import errno
import os
from beastiary.api.core import add_trace, check_for_new_samples
from beastiary.log import logger

Expand Down Expand Up @@ -43,8 +45,11 @@ def create_trace(
Create new trace.
"""
try:
# check if trace is outside of the current working directory
if not os.path.abspath(trace_in.path).startswith(os.getcwd()):
raise FileNotFoundError(errno.ENOENT, os.strerror(errno.ENOENT), trace_in.path)
trace = add_trace(request.app.db, trace_in)
except FileNotFoundError as e:
except FileNotFoundError:
raise HTTPException(404, detail="Could not find log file!")
except ValueError as e:
raise HTTPException(400, detail=str(e))
Expand Down
2 changes: 1 addition & 1 deletion backend/beastiary/webapp-dist/index.html
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"><title>Beastiary</title><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Material+Icons"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Material+Icons"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@mdi/font@latest/css/materialdesignicons.min.css"><link rel="stylesheet" href="/assets/css/custom.css"><style>html {
overflow-y: auto !important;
}</style><link href="/css/login.e537a9fa.css" rel="prefetch"><link href="/css/login~main-dashboard.f3d66085.css" rel="prefetch"><link href="/css/login~main~main-dashboard.31439c1e.css" rel="prefetch"><link href="/css/main-dashboard.6ef509d9.css" rel="prefetch"><link href="/css/main.f21905bc.css" rel="prefetch"><link href="/css/main~main-dashboard.00152d94.css" rel="prefetch"><link href="/js/login.84808bcb.js" rel="prefetch"><link href="/js/login~main-dashboard.ada10ab4.js" rel="prefetch"><link href="/js/login~main~main-dashboard.fe81a9da.js" rel="prefetch"><link href="/js/main-dashboard.fb88529c.js" rel="prefetch"><link href="/js/main.5ac86fcf.js" rel="prefetch"><link href="/js/main~main-dashboard.52fc0832.js" rel="prefetch"><link href="/js/reset-password.4eb4ed46.js" rel="prefetch"><link href="/js/start.6b201380.js" rel="prefetch"><link href="/css/chunk-vendors.91bba9cc.css" rel="preload" as="style"><link href="/js/app.f1a603c7.js" rel="preload" as="script"><link href="/js/chunk-vendors.afbd1421.js" rel="preload" as="script"><link href="/css/chunk-vendors.91bba9cc.css" rel="stylesheet"><link rel="icon" type="image/png" sizes="32x32" href="/img/icons/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/img/icons/favicon-16x16.png"><link rel="manifest" href="/manifest.json"><meta name="theme-color" content="#4DBA87"><meta name="apple-mobile-web-app-capable" content="no"><meta name="apple-mobile-web-app-status-bar-style" content="default"><meta name="apple-mobile-web-app-title" content="frontend"><link rel="apple-touch-icon" href="/img/icons/apple-touch-icon-152x152.png"><link rel="mask-icon" href="/img/icons/safari-pinned-tab.svg" color="#4DBA87"><meta name="msapplication-TileImage" content="/img/icons/msapplication-icon-144x144.png"><meta name="msapplication-TileColor" content="#000000"></head><body><noscript><strong>We're sorry but Beastiary doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div><script src="/js/chunk-vendors.afbd1421.js"></script><script src="/js/app.f1a603c7.js"></script></body></html>
}</style><link href="/css/login.e537a9fa.css" rel="prefetch"><link href="/css/login~main-dashboard.f3d66085.css" rel="prefetch"><link href="/css/login~main~main-dashboard.31439c1e.css" rel="prefetch"><link href="/css/main-dashboard.6ef509d9.css" rel="prefetch"><link href="/css/main.f21905bc.css" rel="prefetch"><link href="/css/main~main-dashboard.00152d94.css" rel="prefetch"><link href="/js/login.84808bcb.js" rel="prefetch"><link href="/js/login~main-dashboard.ada10ab4.js" rel="prefetch"><link href="/js/login~main~main-dashboard.fe81a9da.js" rel="prefetch"><link href="/js/main-dashboard.92b36859.js" rel="prefetch"><link href="/js/main.5ac86fcf.js" rel="prefetch"><link href="/js/main~main-dashboard.52fc0832.js" rel="prefetch"><link href="/js/reset-password.4eb4ed46.js" rel="prefetch"><link href="/js/start.6b201380.js" rel="prefetch"><link href="/css/chunk-vendors.91bba9cc.css" rel="preload" as="style"><link href="/js/app.bd495215.js" rel="preload" as="script"><link href="/js/chunk-vendors.afbd1421.js" rel="preload" as="script"><link href="/css/chunk-vendors.91bba9cc.css" rel="stylesheet"><link rel="icon" type="image/png" sizes="32x32" href="/img/icons/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/img/icons/favicon-16x16.png"><link rel="manifest" href="/manifest.json"><meta name="theme-color" content="#4DBA87"><meta name="apple-mobile-web-app-capable" content="no"><meta name="apple-mobile-web-app-status-bar-style" content="default"><meta name="apple-mobile-web-app-title" content="frontend"><link rel="apple-touch-icon" href="/img/icons/apple-touch-icon-152x152.png"><link rel="mask-icon" href="/img/icons/safari-pinned-tab.svg" color="#4DBA87"><meta name="msapplication-TileImage" content="/img/icons/msapplication-icon-144x144.png"><meta name="msapplication-TileColor" content="#000000"></head><body><noscript><strong>We're sorry but Beastiary doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div><script src="/js/chunk-vendors.afbd1421.js"></script><script src="/js/app.bd495215.js"></script></body></html>

Large diffs are not rendered by default.

Large diffs are not rendered by default.

Large diffs are not rendered by default.

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ self.__precacheManifest = (self.__precacheManifest || []).concat([
"url": "/css/login~main~main-dashboard.31439c1e.css"
},
{
"revision": "8e5d9df0ae77bed5ca87",
"revision": "942e6d292d83697f04be",
"url": "/css/main-dashboard.6ef509d9.css"
},
{
Expand All @@ -48,12 +48,12 @@ self.__precacheManifest = (self.__precacheManifest || []).concat([
"url": "/favicon-32x32.png"
},
{
"revision": "e9a1879e3d0784f7cbcb8fd6b9ffec20",
"revision": "7bd153d1e57e58f8f036703044171ca9",
"url": "/index.html"
},
{
"revision": "9ede7b124dfdd995ce32",
"url": "/js/app.f1a603c7.js"
"revision": "123500be039079b9f1b5",
"url": "/js/app.bd495215.js"
},
{
"revision": "00f66af8c003f99efaae",
Expand All @@ -72,8 +72,8 @@ self.__precacheManifest = (self.__precacheManifest || []).concat([
"url": "/js/login~main~main-dashboard.fe81a9da.js"
},
{
"revision": "8e5d9df0ae77bed5ca87",
"url": "/js/main-dashboard.fb88529c.js"
"revision": "942e6d292d83697f04be",
"url": "/js/main-dashboard.92b36859.js"
},
{
"revision": "9d39511b7071a33e10bc",
Expand Down
2 changes: 1 addition & 1 deletion backend/beastiary/webapp-dist/service-worker.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
importScripts("https://storage.googleapis.com/workbox-cdn/releases/4.3.1/workbox-sw.js");

importScripts(
"/precache-manifest.8174933c0f14872d0ddcf4c732fb1156.js"
"/precache-manifest.108f22cc4a645f3a4368ebda0f438813.js"
);

workbox.core.setCacheNameDetails({prefix: "frontend"});
Expand Down
5 changes: 4 additions & 1 deletion frontend/src/components/data/AddTraceButton.vue
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
></v-text-field>
</v-form>
<v-list style="max-height: 300px;overflow: auto;">
<v-list-item>
<v-list-item v-if="!isRoot">
<v-list-item-avatar>
<v-icon
class="grey lighten-1"
Expand Down Expand Up @@ -123,6 +123,7 @@ export default class AddTraceButton extends Vue {
public currentPath: string = '';
public parentDir: string = '';
public files: any[] = [];
public isRoot: boolean = true;
public submit() {
dispatchCreateTrace(this.$store, {path: this.path});
Expand All @@ -135,6 +136,7 @@ export default class AddTraceButton extends Vue {
this.parentDir = '';
this.files = [];
this.list_dir();
this.isRoot = true;
}
public async list_dir() {
Expand All @@ -143,6 +145,7 @@ export default class AddTraceButton extends Vue {
this.files = response.data.files;
this.currentPath = response.data.path;
this.parentDir = response.data.parent;
this.isRoot = response.data.is_root;
}
}
</script>

0 comments on commit 056e14b

Please sign in to comment.