Skip to content

Commit 398049c

Browse files
committed
Fix path traversal issues in all dataretriever backends
1 parent d2f20ff commit 398049c

File tree

6 files changed

+19
-13
lines changed

6 files changed

+19
-13
lines changed

Diff for: opendiamond/dataretriever/augment_store.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@
2424
from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
2525
jsonify
2626
from werkzeug.datastructures import Headers
27-
from werkzeug.utils import safe_join
27+
from werkzeug.security import safe_join
2828
from opendiamond.dataretriever.util import read_file_list, write_data
2929

3030

Diff for: opendiamond/dataretriever/diamond_store.py

+3-2
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
1818
jsonify
1919
from werkzeug.datastructures import Headers
20+
from werkzeug.security import safe_join
2021

2122
from opendiamond.dataretriever.util import ATTR_SUFFIX
2223

@@ -120,11 +121,11 @@ def _get_object_src_uri(object_path):
120121

121122

122123
def _get_obj_absolute_path(obj_path):
123-
return os.path.join(DATAROOT, obj_path)
124+
return safe_join(DATAROOT, obj_path)
124125

125126

126127
def _get_index_absolute_path(index):
127-
return os.path.join(INDEXDIR, index)
128+
return safe_join(INDEXDIR, index)
128129

129130

130131
@scope_blueprint.route('/obj/<path:obj_path>')

Diff for: opendiamond/dataretriever/mixer_store.py

+3-2
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
2525
jsonify
2626
from werkzeug.datastructures import Headers
27+
from werkzeug.security import safe_join
2728

2829
BASEURL = 'cocktail'
2930
STYLE = False
@@ -249,11 +250,11 @@ def _get_obj_path(obj_path):
249250
return obj_path.replace(DATAROOT+'/', '')
250251

251252
def _get_obj_absolute_path(obj_path):
252-
return os.path.join(DATAROOT, obj_path)
253+
return safe_join(DATAROOT, obj_path)
253254

254255

255256
def _get_index_absolute_path(index):
256-
return os.path.join(INDEXDIR, index)
257+
return safe_join(INDEXDIR, index)
257258

258259

259260
@scope_blueprint.route('/obj/<path:obj_path>')

Diff for: opendiamond/dataretriever/test_store.py

+4-2
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@
2424
from flask import Blueprint, url_for, Response, stream_with_context, send_file, \
2525
jsonify
2626
from werkzeug.datastructures import Headers
27+
from werkzeug.security import safe_join
28+
2729
from opendiamond.dataretriever.test_utils import *
2830

2931

@@ -279,11 +281,11 @@ def _get_obj_path(obj_path):
279281
return obj_path.replace(DATAROOT+'/', '')
280282

281283
def _get_obj_absolute_path(obj_path):
282-
return os.path.join(DATAROOT, obj_path)
284+
return safe_join(DATAROOT, obj_path)
283285

284286

285287
def _get_index_absolute_path(index):
286-
return os.path.join(INDEXDIR, index)
288+
return safe_join(INDEXDIR, index)
287289

288290

289291
@scope_blueprint.route('/obj/<path:obj_path>')

Diff for: opendiamond/dataretriever/video_store.py

+3-2
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
from flask import Blueprint, Response, request, stream_with_context, url_for
2222
from opendiamond.dataretriever.util import DiamondTextAttr
2323
from werkzeug.datastructures import Headers
24+
from werkzeug.security import safe_join
2425

2526
# IMPORTANT: requires ffmpeg >= 3.3. Lower versions produce incorrect clipping.
2627

@@ -122,11 +123,11 @@ def _get_object_element(start, span, video):
122123

123124

124125
def _get_obj_absolute_path(obj_path):
125-
return os.path.join(DATAROOT, obj_path)
126+
return safe_join(DATAROOT, obj_path)
126127

127128

128129
def _get_index_absolute_path(index):
129-
return os.path.join(INDEXDIR, index)
130+
return safe_join(INDEXDIR, index)
130131

131132

132133
def _ffprobe(video_path):

Diff for: opendiamond/dataretriever/yfcc100m_mysql_store.py

+5-4
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929
import logging
3030
import mysql.connector
3131
from werkzeug.datastructures import Headers
32+
from werkzeug.security import safe_join
3233
from xml.sax.saxutils import quoteattr
3334

3435
BASEURL = 'yfcc100m_mysql'
@@ -124,7 +125,7 @@ def get_object_id(dataset, seq_no):
124125

125126
@scope_blueprint.route('/obj/<dataset>/<path:rel_path>')
126127
def get_object_src_http(dataset, rel_path):
127-
path = _get_obj_abosolute_path(dataset, rel_path)
128+
path = _get_obj_absolute_path(dataset, rel_path)
128129
response = send_file(path,
129130
cache_timeout=datetime.timedelta(
130131
days=365).total_seconds(),
@@ -133,8 +134,8 @@ def get_object_src_http(dataset, rel_path):
133134
return response
134135

135136

136-
def _get_obj_abosolute_path(dataset, rel_path):
137-
return os.path.join(DATAROOT, dataset, rel_path)
137+
def _get_obj_absolute_path(dataset, rel_path):
138+
return safe_join(DATAROOT, dataset, rel_path)
138139

139140

140141
def _get_object_element(dataset, seq_no, rel_path, download_link):
@@ -162,7 +163,7 @@ def _get_object_element(dataset, seq_no, rel_path, download_link):
162163
rel_path, download_link = row[0], row[1]
163164

164165
if LOCAL_OBJ_URI:
165-
src_uri = 'file://' + os.path.join(DATAROOT, dataset, rel_path)
166+
src_uri = 'file://' + _get_obj_absolute_path(dataset, rel_path)
166167
else:
167168
src_uri = url_for('.get_object_src_http', dataset=dataset, rel_path=rel_path)
168169

0 commit comments

Comments
 (0)