Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix path traversal issues in all dataretriever backends
  • Loading branch information
jaharkes committed May 4, 2022
1 parent d2f20ff commit 398049c
Show file tree
Hide file tree
Showing 6 changed files with 19 additions and 13 deletions.
2 changes: 1 addition & 1 deletion opendiamond/dataretriever/augment_store.py
Expand Up @@ -24,7 +24,7 @@
from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
jsonify
from werkzeug.datastructures import Headers
from werkzeug.utils import safe_join
from werkzeug.security import safe_join
from opendiamond.dataretriever.util import read_file_list, write_data


Expand Down
5 changes: 3 additions & 2 deletions opendiamond/dataretriever/diamond_store.py
Expand Up @@ -17,6 +17,7 @@
from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
jsonify
from werkzeug.datastructures import Headers
from werkzeug.security import safe_join

from opendiamond.dataretriever.util import ATTR_SUFFIX

Expand Down Expand Up @@ -120,11 +121,11 @@ def _get_object_src_uri(object_path):


def _get_obj_absolute_path(obj_path):
return os.path.join(DATAROOT, obj_path)
return safe_join(DATAROOT, obj_path)


def _get_index_absolute_path(index):
return os.path.join(INDEXDIR, index)
return safe_join(INDEXDIR, index)


@scope_blueprint.route('/obj/<path:obj_path>')
Expand Down
5 changes: 3 additions & 2 deletions opendiamond/dataretriever/mixer_store.py
Expand Up @@ -24,6 +24,7 @@
from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
jsonify
from werkzeug.datastructures import Headers
from werkzeug.security import safe_join

BASEURL = 'cocktail'
STYLE = False
Expand Down Expand Up @@ -249,11 +250,11 @@ def _get_obj_path(obj_path):
return obj_path.replace(DATAROOT+'/', '')

def _get_obj_absolute_path(obj_path):
return os.path.join(DATAROOT, obj_path)
return safe_join(DATAROOT, obj_path)


def _get_index_absolute_path(index):
return os.path.join(INDEXDIR, index)
return safe_join(INDEXDIR, index)


@scope_blueprint.route('/obj/<path:obj_path>')
Expand Down
6 changes: 4 additions & 2 deletions opendiamond/dataretriever/test_store.py
Expand Up @@ -24,6 +24,8 @@
from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
jsonify
from werkzeug.datastructures import Headers
from werkzeug.security import safe_join

from opendiamond.dataretriever.test_utils import *


Expand Down Expand Up @@ -279,11 +281,11 @@ def _get_obj_path(obj_path):
return obj_path.replace(DATAROOT+'/', '')

def _get_obj_absolute_path(obj_path):
return os.path.join(DATAROOT, obj_path)
return safe_join(DATAROOT, obj_path)


def _get_index_absolute_path(index):
return os.path.join(INDEXDIR, index)
return safe_join(INDEXDIR, index)


@scope_blueprint.route('/obj/<path:obj_path>')
Expand Down
5 changes: 3 additions & 2 deletions opendiamond/dataretriever/video_store.py
Expand Up @@ -21,6 +21,7 @@
from flask import Blueprint, Response, request, stream_with_context, url_for
from opendiamond.dataretriever.util import DiamondTextAttr
from werkzeug.datastructures import Headers
from werkzeug.security import safe_join

# IMPORTANT: requires ffmpeg >= 3.3. Lower versions produce incorrect clipping.

Expand Down Expand Up @@ -122,11 +123,11 @@ def _get_object_element(start, span, video):


def _get_obj_absolute_path(obj_path):
return os.path.join(DATAROOT, obj_path)
return safe_join(DATAROOT, obj_path)


def _get_index_absolute_path(index):
return os.path.join(INDEXDIR, index)
return safe_join(INDEXDIR, index)


def _ffprobe(video_path):
Expand Down
9 changes: 5 additions & 4 deletions opendiamond/dataretriever/yfcc100m_mysql_store.py
Expand Up @@ -29,6 +29,7 @@
import logging
import mysql.connector
from werkzeug.datastructures import Headers
from werkzeug.security import safe_join
from xml.sax.saxutils import quoteattr

BASEURL = 'yfcc100m_mysql'
Expand Down Expand Up @@ -124,7 +125,7 @@ def get_object_id(dataset, seq_no):

@scope_blueprint.route('/obj/<dataset>/<path:rel_path>')
def get_object_src_http(dataset, rel_path):
path = _get_obj_abosolute_path(dataset, rel_path)
path = _get_obj_absolute_path(dataset, rel_path)
response = send_file(path,
cache_timeout=datetime.timedelta(
days=365).total_seconds(),
Expand All @@ -133,8 +134,8 @@ def get_object_src_http(dataset, rel_path):
return response


def _get_obj_abosolute_path(dataset, rel_path):
return os.path.join(DATAROOT, dataset, rel_path)
def _get_obj_absolute_path(dataset, rel_path):
return safe_join(DATAROOT, dataset, rel_path)


def _get_object_element(dataset, seq_no, rel_path, download_link):
Expand Down Expand Up @@ -162,7 +163,7 @@ def _get_object_element(dataset, seq_no, rel_path, download_link):
rel_path, download_link = row[0], row[1]

if LOCAL_OBJ_URI:
src_uri = 'file://' + os.path.join(DATAROOT, dataset, rel_path)
src_uri = 'file://' + _get_obj_absolute_path(dataset, rel_path)
else:
src_uri = url_for('.get_object_src_http', dataset=dataset, rel_path=rel_path)

Expand Down

0 comments on commit 398049c

Please sign in to comment.