Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue fix for /static-files/{path} endpoint #1003

Merged
merged 2 commits into from Nov 15, 2021
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Next
Fix security issue when incorrect path is given to the endpoint that …
…serves static files which can lead to a leak of non wanted files (e.g. /static-files/../../../../etc/passwd)
  • Loading branch information
mihran113 committed Nov 12, 2021
commit f01266a1a479ef11d7d6c539e7dd89e9d5639738
10 changes: 9 additions & 1 deletion aim/web/api/views.py
@@ -1,15 +1,23 @@
import os
from pathlib import Path

from aim.web.api.utils import APIRouter # wrapper for fastapi.APIRouter
from fastapi.responses import FileResponse
from fastapi import HTTPException

statics_router = APIRouter()


@statics_router.get('/static-files/{path:path}/')
async def serve_static_files(path):
from aim import web
static_file_name = os.path.join(os.path.dirname(web.__file__), 'ui', 'build', path)
static_file_root = os.path.join(os.path.dirname(web.__file__), 'ui', 'build')
static_file_name = os.path.join(static_file_root, path)

# check if path is leading inside ui/build directory
if not Path(static_file_root) in Path(static_file_name).resolve().parents:
raise HTTPException(404)

compressed_file_name = '{}.gz'.format(static_file_name)
if os.path.exists(compressed_file_name):
return FileResponse(compressed_file_name, headers={'Content-Encoding': 'gzip'})
Expand Down