Removed traversal.

2025-12-08 00:12:52 +01:00 · 2025-12-08 00:12:52 +01:00 · 1c346d6314
commit 1c346d6314
parent 13024a0333
1 changed files with 3 additions and 3 deletions
--- a/proxy.py
+++ b/proxy.py
@ -26,9 +26,9 @@ def add_cors_headers(response):
    return response

 def is_path_safe(path):
-    normalized = posixpath.normpath(path)
-    if '..' in normalized:
+    if '..' in path:
        return False
+    normalized = posixpath.normpath(path)
    full_path = os.path.abspath(os.path.join(ROOT_DIR, normalized.lstrip('/')))
    return full_path.startswith(ROOT_DIR)

@ -40,7 +40,7 @@ async def proxy_request(request, method, max_retries=10, retry_delay=2):
    api_parsed_url = urlparse(api_path)
    normalized_api_path = posixpath.normpath(api_parsed_url.path).lstrip('/')

-    if '..' in normalized_api_path:
+    if '..' in api_parsed_url.path:
        response = web.json_response({'success': False, 'error': 'Invalid path'}, status=400)
        return add_cors_headers(response)