RNS-Things/rns-page-node
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve path resolution in PageNode class to ensure security by validating file paths before serving.

Browse Source
This commit is contained in:
ivan
2025-10-05 16:02:12 -05:00
parent ea27c380cb
commit 54e6849968
1 changed files with 11 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
rns_page_node/main.py
View File

@@ -170,9 +170,12 @@ class PageNode:
_requested_at, _requested_at,
): ):
"""Serve a .mu page file, executing it as a script if it has a shebang.""" """Serve a .mu page file, executing it as a script if it has a shebang."""
pagespath = Path(self.pagespath) pagespath = Path(self.pagespath).resolve()
relative_path = path[6:] if path.startswith("/page/") else path[5:] relative_path = path[6:] if path.startswith("/page/") else path[5:]
file_path = pagespath / relative_path file_path = (pagespath / relative_path).resolve()
if not str(file_path).startswith(str(pagespath)):
return DEFAULT_NOTALLOWED.encode("utf-8")
try: try:
with file_path.open("rb") as _f: with file_path.open("rb") as _f:
first_line = _f.readline() first_line = _f.readline()
@@ -228,9 +231,13 @@ class PageNode:
_requested_at, _requested_at,
): ):
"""Serve a file from the files directory.""" """Serve a file from the files directory."""
filespath = Path(self.filespath) filespath = Path(self.filespath).resolve()
relative_path = path[6:] if path.startswith("/file/") else path[5:] relative_path = path[6:] if path.startswith("/file/") else path[5:]
file_path = filespath / relative_path file_path = (filespath / relative_path).resolve()
if not str(file_path).startswith(str(filespath)):
return DEFAULT_NOTALLOWED.encode("utf-8")
return [ return [
file_path.open("rb"), file_path.open("rb"),
{"name": file_path.name.encode("utf-8")}, {"name": file_path.name.encode("utf-8")},