fix(security): use Path.relative_to() for path confinement (#284)

* fix(security): use Path.relative_to() for path confinement check Replace str.startswith() path check with Path.relative_to() in the plugin file viewer endpoint. startswith() can be bypassed when a directory name is a prefix of another (e.g., /plugins/foo vs /plugins/foobar). relative_to() correctly validates containment. Co-Authored-By: 5ymb01 <noreply@github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: trigger CodeRabbit review --------- Co-authored-by: 5ymb01 <5ymb01@users.noreply.github.com> Co-authored-by: 5ymb01 <noreply@github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-10 21:03:01 +00:00 · 2026-03-20 10:04:49 -04:00
parent 178dfb0c2a
commit f0dc094cd6
1 changed files with 3 additions and 1 deletions
--- a/web_interface/blueprints/api_v3.py
+++ b/web_interface/blueprints/api_v3.py
@@ -6286,7 +6286,9 @@ def serve_plugin_static(plugin_id, file_path):
        requested_file = (plugin_dir / file_path).resolve()

        # Security check: ensure file is within plugin directory
-        if not str(requested_file).startswith(str(plugin_dir)):
+        try:
+            requested_file.relative_to(plugin_dir)
+        except ValueError:
            return jsonify({'status': 'error', 'message': 'Invalid file path'}), 403

        # Check if file exists