refactor: reorder path traversal check before normalization in proxy safety validation

Move the '..' detection to operate on the raw path string before normalization, ensuring path traversal attempts are caught even when normpath would collapse them. Also apply the same early check to api_parsed_url.path in proxy_request, preventing bypass via normalized path segments.
This commit is contained in:
retoor 2025-12-07 23:12:52 +00:00
parent 50933050b5
commit 05c067c991

View File

@ -26,9 +26,9 @@ def add_cors_headers(response):
return response
def is_path_safe(path):
normalized = posixpath.normpath(path)
if '..' in normalized:
if '..' in path:
return False
normalized = posixpath.normpath(path)
full_path = os.path.abspath(os.path.join(ROOT_DIR, normalized.lstrip('/')))
return full_path.startswith(ROOT_DIR)
@ -40,7 +40,7 @@ async def proxy_request(request, method, max_retries=10, retry_delay=2):
api_parsed_url = urlparse(api_path)
normalized_api_path = posixpath.normpath(api_parsed_url.path).lstrip('/')
if '..' in normalized_api_path:
if '..' in api_parsed_url.path:
response = web.json_response({'success': False, 'error': 'Invalid path'}, status=400)
return add_cors_headers(response)