Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

path_traversal with venv #70

Closed
netstuff opened this issue Jul 4, 2021 · 8 comments
Closed

path_traversal with venv #70

netstuff opened this issue Jul 4, 2021 · 8 comments

Comments

@netstuff
Copy link

netstuff commented Jul 4, 2021
edited

Hello!

I'm using poetry and got an issue with TEMPLATE_FOLDER option with exception TemplateFolderDoesNotExist because it not pass path_traversal check.

After debug I found out that:

  • base = Path(__file__).parent.parent inside path_traversal equals to PosixPath('/Users/netstuff/Sites/mailout/api/.venv/lib/python3.9/site-packages')
  • passed to TEMPLATE_FOLDER path equals to PosixPath('/Users/netstuff/Sites/mailout/api/src/mailout/templates/mail')

What can I do with it?
Thank you.
@kucera-lukas
Copy link
Contributor

Hi,

the path traversal check is indeed broken, for now you could just monkey patch that function to always return True, (fastapi_mail.config.path_traversal = lambda *args, **kwargs: True).

I think that doing base = Path(os.getcwd()) should fix the issue.

@netstuff
Copy link
Author

netstuff commented Jul 8, 2021

@kucera-lukas thank u very much! I have already done it ;)

@Turall
Copy link
Collaborator

Turall commented Jul 21, 2021
edited

Hi @netstuff, can you share your config file without creds. ?
project template folder should be at the root of the project or in subfolders.

conf = ConnectionConfig(
       ...
    TEMPLATE_FOLDER="./templates"
)

or

conf = ConnectionConfig(
       ...
    TEMPLATE_FOLDER="templates"
)

or

conf = ConnectionConfig(
       ...
    TEMPLATE_FOLDER="./templates/html/"
)

@Turall Turall mentioned this issue Jul 21, 2021
Closed
@netstuff
Copy link
Author

netstuff commented Jul 21, 2021
edited

Hi @Turall !

Here is my config (private settings is hidden by MAIL_SETTINGS)

ConnectionConfig(
    TEMPLATE_FOLDER=PosixPath('/Users/netstuff/project/api/src/templates/mail'),
    SUPPRESS_SEND=1,
    USE_CREDENTIALS=True,
    VALIDATE_CERTS=True,
    **MAIL_SETTINGS
)

@Turall
Copy link
Collaborator

Turall commented Jul 21, 2021

Hi @Turall !

Here is my config (private settings is hidden by MAIL_SETTINGS)

ConnectionConfig(
    TEMPLATE_FOLDER=PosixPath('/Users/netstuff/project/api/src/templates/mail'),
    SUPPRESS_SEND=1,
    USE_CREDENTIALS=True,
    VALIDATE_CERTS=True,
    **MAIL_SETTINGS
)

if your project root folder is project you must set TEMPLATE_FOLDER="./api/src/templates/mail"

@Turall
Copy link
Collaborator

Turall commented Jul 22, 2021

@netstuff could you solve your problem?

@sabuhish
Copy link
Owner

@Turall thanks for your help. He is right you should not set the full path, set it from the project root foler. @netstuff do you still face the same error?
Also one more suggestion to use:

TEMPLATE_FOLDER = Path(__file__).parent / 'template_folder',

@Turall Turall closed this as completed Aug 16, 2021
@francois-travais
Copy link

I'm facing the same issue than @netstuff , and TEMPLATE_FOLDER = Path(__file__).parent / 'template_folder' doesn't work. I had to disable the path_traversal as @kucera-lukas suggested.

@francois-travais francois-travais mentioned this issue Sep 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@netstuff @francois-travais @Turall @sabuhish @kucera-lukas