rick/LEDMatrix
1
0
Fork 0
mirror of https://github.com/ChuckBuilds/LEDMatrix.git synced 2026-04-10 21:03:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): use Path.relative_to() for path confinement (#284)

Browse Source 
* fix(security): use Path.relative_to() for path confinement check

Replace str.startswith() path check with Path.relative_to() in the
plugin file viewer endpoint. startswith() can be bypassed when a
directory name is a prefix of another (e.g., /plugins/foo vs
/plugins/foobar). relative_to() correctly validates containment.

Co-Authored-By: 5ymb01 <noreply@github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: trigger CodeRabbit review

---------

Co-authored-by: 5ymb01 <5ymb01@users.noreply.github.com>
Co-authored-by: 5ymb01 <noreply@github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
5ymb01
2026-03-20 10:04:49 -04:00
committed by GitHub
parent 178dfb0c2a
commit f0dc094cd6
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
web_interface/blueprints/api_v3.py
View File

@@ -6286,7 +6286,9 @@ def serve_plugin_static(plugin_id, file_path):
requested_file = (plugin_dir / file_path).resolve() requested_file = (plugin_dir / file_path).resolve()
# Security check: ensure file is within plugin directory # Security check: ensure file is within plugin directory
if not str(requested_file).startswith(str(plugin_dir)): try:
requested_file.relative_to(plugin_dir)
except ValueError:
return jsonify({'status': 'error', 'message': 'Invalid file path'}), 403 return jsonify({'status': 'error', 'message': 'Invalid file path'}), 403
# Check if file exists # Check if file exists