heron shell access directory

apache · Sep 26, 2018 · fd7fde0 · fd7fde0
1 parent 3822400
commit fd7fde0
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 6 deletions.
diff --git a/heron/shell/src/python/handlers/browsehandler.py b/heron/shell/src/python/handlers/browsehandler.py
@@ -34,11 +34,13 @@ def get(self, path):
     ''' get method '''
     if not path:
       path = "."
-    if path.startswith("/"):
+
+    if not utils.check_path(path):
       self.write("Only relative paths are allowed")
       self.set_status(403)
       self.finish()
       return
+
     t = Template(utils.get_asset("browse.html"))
     args = dict(
         path=path,

diff --git a/heron/shell/src/python/handlers/downloadhandler.py b/heron/shell/src/python/handlers/downloadhandler.py
@@ -37,7 +37,7 @@ def get(self, path):
     self.connection_closed = False
 
     self.set_header("Content-Disposition", "attachment")
-    if path.startswith("/"):
+    if not utils.check_path(path):
       self.write("Only relative paths are allowed")
       self.set_status(403)
       self.finish()

diff --git a/heron/shell/src/python/handlers/filedatahandler.py b/heron/shell/src/python/handlers/filedatahandler.py
@@ -32,11 +32,13 @@ def get(self, path):
     """ get method """
     if path is None:
       return {}
-    if path.startswith("/"):
+
+    if not utils.check_path(path):
       self.write("Only relative paths are allowed")
       self.set_status(403)
       self.finish()
       return
+
     offset = self.get_argument("offset", default=-1)
     length = self.get_argument("length", default=-1)
     if not os.path.isfile(path):

diff --git a/heron/shell/src/python/handlers/filehandler.py b/heron/shell/src/python/handlers/filehandler.py
@@ -35,11 +35,13 @@ def get(self, path):
       self.write("No such file")
       self.finish()
       return
-    if path.startswith("/"):
+
+    if not utils.check_path(path):
       self.write("Only relative paths are allowed")
       self.set_status(403)
       self.finish()
       return
+
     args = dict(
         filename=path,
         jquery=utils.get_asset("jquery.js"),

diff --git a/heron/shell/src/python/handlers/filestatshandler.py b/heron/shell/src/python/handlers/filestatshandler.py
@@ -38,11 +38,12 @@ def get(self, path):
     # of the dir that heron-shell is running in. This ensures
     # sandboxing. So we don't allow absolute paths and parent
     # accessing.
-    if path.startswith("/") or ".." in path:
-      self.write("Only relative paths inside job dir are allowed")
+    if not utils.check_path(path):
+      self.write("Only relative paths are allowed")
       self.set_status(403)
       self.finish()
       return
+
     listing = utils.get_listing(path)
     file_stats = {}
     for fn in listing:

diff --git a/heron/shell/src/python/utils.py b/heron/shell/src/python/utils.py
@@ -194,3 +194,11 @@ def get_container_id(instance_id):
 def get_asset(asset_name):
   ''' get assset '''
   return pkgutil.get_data("heron.shell", os.path.join("assets", asset_name))
+
+def check_path(path):
+  """
+  file path should be a relative path without ".." in it
+  :param path: file path
+  :return: true if the path is relative and doesn't contain ".."
+  """
+  return not path.startswith("/") and ".." not in path