From 05c067c99142387814458e0d7d8d00ca9221a91a Mon Sep 17 00:00:00 2001 From: retoor Date: Sun, 7 Dec 2025 23:12:52 +0000 Subject: [PATCH] refactor: reorder path traversal check before normalization in proxy safety validation Move the '..' detection to operate on the raw path string before normalization, ensuring path traversal attempts are caught even when normpath would collapse them. Also apply the same early check to api_parsed_url.path in proxy_request, preventing bypass via normalized path segments. --- proxy.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/proxy.py b/proxy.py index 645da3a..306a21a 100644 --- a/proxy.py +++ b/proxy.py @@ -26,9 +26,9 @@ def add_cors_headers(response): return response def is_path_safe(path): - normalized = posixpath.normpath(path) - if '..' in normalized: + if '..' in path: return False + normalized = posixpath.normpath(path) full_path = os.path.abspath(os.path.join(ROOT_DIR, normalized.lstrip('/'))) return full_path.startswith(ROOT_DIR) @@ -40,7 +40,7 @@ async def proxy_request(request, method, max_retries=10, retry_delay=2): api_parsed_url = urlparse(api_path) normalized_api_path = posixpath.normpath(api_parsed_url.path).lstrip('/') - if '..' in normalized_api_path: + if '..' in api_parsed_url.path: response = web.json_response({'success': False, 'error': 'Invalid path'}, status=400) return add_cors_headers(response)