From c4d1a8f61ec6c55915fe424bdc13dbf18f3009cf Mon Sep 17 00:00:00 2001
From: q1uf3ng <q1uf3ng@proton.me>
Date: Thu, 7 May 2026 10:59:18 +0800
Subject: [PATCH 1/2] security: fix path traversal in StaticFileHandler

The custom StaticFileHandler overrides validate_absolute_path() to
return the path without any validation, removing Tornado's built-in
path traversal protection. This allows requests like
GET /img/../../../../etc/passwd to read arbitrary files.

Restore path validation by using os.path.abspath() in
get_absolute_path() and checking the resolved path is within the
static root in validate_absolute_path().
---
 openhtf/output/servers/web_gui_server.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/openhtf/output/servers/web_gui_server.py b/openhtf/output/servers/web_gui_server.py
index 02346f6ce..4d5fb4611 100644
--- a/openhtf/output/servers/web_gui_server.py
+++ b/openhtf/output/servers/web_gui_server.py
@@ -95,9 +95,14 @@ class StaticFileHandler(tornado.web.StaticFileHandler):
 
   @classmethod
   def get_absolute_path(cls, root, path):
-    return os.path.join(root, path)
+    return os.path.abspath(os.path.join(root, path))
 
   def validate_absolute_path(self, root, abspath):
+    root = os.path.abspath(root)
+    if not abspath.startswith(root + os.sep) and abspath != root:
+      raise tornado.web.HTTPError(403)
+    if not os.path.isfile(abspath):
+      raise tornado.web.HTTPError(404)
     return abspath
 
 

From 1f454ce30d55a335a0e688e000eed4f180b64d2e Mon Sep 17 00:00:00 2001
From: q1uf3ng <q1uf3ng@proton.me>
Date: Thu, 7 May 2026 15:02:41 +0800
Subject: [PATCH 2/2] trigger CLA recheck