refactor: reorder path traversal check before normalization in proxy safety validation
Move the '..' detection to operate on the raw path string before normalization, ensuring path traversal attempts are caught even when normpath would collapse them. Also apply the same early check to api_parsed_url.path in proxy_request, preventing bypass via normalized path segments.
This commit is contained in:
parent
50933050b5
commit
05c067c991
6
proxy.py
6
proxy.py
@ -26,9 +26,9 @@ def add_cors_headers(response):
|
||||
return response
|
||||
|
||||
def is_path_safe(path):
|
||||
normalized = posixpath.normpath(path)
|
||||
if '..' in normalized:
|
||||
if '..' in path:
|
||||
return False
|
||||
normalized = posixpath.normpath(path)
|
||||
full_path = os.path.abspath(os.path.join(ROOT_DIR, normalized.lstrip('/')))
|
||||
return full_path.startswith(ROOT_DIR)
|
||||
|
||||
@ -40,7 +40,7 @@ async def proxy_request(request, method, max_retries=10, retry_delay=2):
|
||||
api_parsed_url = urlparse(api_path)
|
||||
normalized_api_path = posixpath.normpath(api_parsed_url.path).lstrip('/')
|
||||
|
||||
if '..' in normalized_api_path:
|
||||
if '..' in api_parsed_url.path:
|
||||
response = web.json_response({'success': False, 'error': 'Invalid path'}, status=400)
|
||||
return add_cors_headers(response)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user