Fix: prevent to traverse up the root directory

yhttp · Aug 31, 2024 · 0aca9f3 · 0aca9f3
1 parent 5fcca27
commit 0aca9f3
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 7 deletions.
diff --git a/TODO.md b/TODO.md
@@ -1,7 +1,6 @@
 # Now
-- command line argument to set any option
-- all todos
-- all fixmes
+- readme
+- header is too large, decrease the header size
 
 ## later
-- readme
+# cache assets
diff --git a/tests/test_server.py b/tests/test_server.py
@@ -102,3 +102,13 @@ def test_server_notfound(ymdapp, ymdserver, mockupfs):
 
         when(url='/bar.md')
         assert status == 404
+
+
+def test_server_unauthorized(ymdapp, ymdserver, mockupfs):
+    root = mockupfs(**{
+        'index.md': '# index',
+    })
+    ymdapp.settings.root = root
+    ymdapp.ready()
+    with ymdserver('/../foo'):
+        assert status == 403
diff --git a/yhttp/markdown/server.py b/yhttp/markdown/server.py
@@ -66,7 +66,6 @@ def info(req):
     )
 
 
-# TODO: cache
 @app.route('/index.css')
 @sass
 def get(req, path=None):
@@ -102,7 +101,9 @@ def notfound(req, path, **kw):
 
 @y.html
 def get(req, path=None):
-    # FIXME: (security) prevent to get parent directories
+    if '..' in path:
+        raise y.statuses.forbidden()
+
     targetpath = os.path.join(cfg.root, path or '')
     targetfile = None
 

diff --git a/yhttp/markdown/toc.py b/yhttp/markdown/toc.py
@@ -74,7 +74,6 @@ def extractdir(root, directory, depth=6):
     subdirs = []
     root = os.path.abspath(root)
 
-    # FIXME: prevent to traverse up
     dirpath = os.path.join(root, directory)
     for item in sorted(os.listdir(dirpath)):
         if SYSFILES.match(item):