use werkzeug safe_join to sanitize the requested path

no tests changed, so my implementation might have been good, but let's
use the provided check
This commit is contained in:
Brian S. Stephan 2022-12-31 08:15:37 -06:00
parent b3dfab2611
commit 55cfad90a9
Signed by: bss
GPG Key ID: 3DE06D3180895FCB

View File

@ -7,6 +7,7 @@ import re
from flask import Blueprint, Markup, abort
from flask import current_app as app
from flask import redirect, request, send_from_directory
from werkzeug.security import safe_join
from incorporealcms.lib import get_meta_str, init_md, render
@ -101,15 +102,16 @@ def request_path_to_instance_resource_path(path):
"""
# check if the path is allowed
base_dir = os.path.realpath(f'{app.instance_path}/pages/')
verbatim_path = os.path.abspath(os.path.join(base_dir, path))
resolved_path = os.path.realpath(verbatim_path)
logger.debug("base_dir '%s', constructed resolved_path '%s' for path '%s'", base_dir, resolved_path, path)
safe_path = safe_join(base_dir, path)
# bail if the requested real path isn't inside the base directory
if base_dir != os.path.commonpath((base_dir, resolved_path)):
if not safe_path:
logger.warning("client tried to request a path '%s' outside of the base_dir!", path)
raise PermissionError
verbatim_path = os.path.abspath(safe_path)
resolved_path = os.path.realpath(verbatim_path)
logger.debug("base_dir '%s', constructed resolved_path '%s' for path '%s'", base_dir, resolved_path, path)
# see if we have a real file or if we should infer markdown rendering
if os.path.exists(resolved_path):
# if this is a file-like request but actually a directory, redirect the user
@ -131,7 +133,7 @@ def request_path_to_instance_resource_path(path):
return resolved_path.replace(f'{app.instance_path}{os.path.sep}', ''), 'file'
# if we're here, this isn't direct file access, so try markdown inference
verbatim_path = os.path.abspath(os.path.join(base_dir, f'{path}.md'))
verbatim_path = f'{safe_path}.md'
resolved_path = os.path.realpath(verbatim_path)
# does the final file actually exist?