Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
zhengchun
/
PaddleX
1
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Pārlūkot izejas kodu

fix restful security issue

will-jl944 4 gadi atpakaļ
vecāks
35353525c4
revīzija
df2d50ac1d
2 mainītis faili ar 18 papildinājumiem un 0 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 9 0
      paddlex_restful/restful/app.py
  2. 9 0
      static/paddlex_restful/restful/app.py

+ 9 - 0
paddlex_restful/restful/app.py
Parādīt failu 

@@ -207,6 +207,9 @@ def get_image_file():
 
     data = request.get_json()
 
     if request.method == 'GET':
 
         ret = data['path']
 
+        assert os.path.abspath(ret).startswith(
 
+            os.path.abspath(SD.workspace_dir)
 
+        ) and ".." not in ret, "Illegal path {}.".format(ret)
 
         return send_file(ret)
 
 
 
@@ -584,6 +587,9 @@ def task_evaluate_file():
 
     if request.method == 'GET':
 
         if 'path' in data:
 
             ret = data['path']
 
+            assert os.path.abspath(ret).startswith(
 
+                os.path.abspath(SD.workspace_dir)
 
+            ) and ".." not in ret, "Illegal path {}.".format(ret)
 
             return send_file(ret)
 
         else:
 
             from .project.task import get_evaluate_result
 
@@ -920,6 +926,9 @@ def model_file():
 
     data = request.get_json()
 
     if request.method == 'GET':
 
         ret = data['path']
 
+        assert os.path.abspath(ret).startswith(
 
+            os.path.abspath(SD.workspace_dir)
 
+        ) and ".." not in ret, "Illegal path {}.".format(ret)
 
         return send_file(ret)

+ 9 - 0
static/paddlex_restful/restful/app.py
Parādīt failu 

@@ -206,6 +206,9 @@ def get_image_file():
 
     data = request.get_json()
 
     if request.method == 'GET':
 
         ret = data['path']
 
+        assert os.path.abspath(ret).startswith(
 
+            os.path.abspath(SD.workspace_dir)
 
+        ) and ".." not in ret, "Illegal path {}.".format(ret)
 
         return send_file(ret)
 
 
 
@@ -583,6 +586,9 @@ def task_evaluate_file():
 
     if request.method == 'GET':
 
         if 'path' in data:
 
             ret = data['path']
 
+            assert os.path.abspath(ret).startswith(
 
+                os.path.abspath(SD.workspace_dir)
 
+            ) and ".." not in ret, "Illegal path {}.".format(ret)
 
             return send_file(ret)
 
         else:
 
             from .project.task import get_evaluate_result
 
@@ -919,6 +925,9 @@ def model_file():
 
     data = request.get_json()
 
     if request.method == 'GET':
 
         ret = data['path']
 
+        assert os.path.abspath(ret).startswith(
 
+            os.path.abspath(SD.workspace_dir)
 
+        ) and ".." not in ret, "Illegal path {}.".format(ret)
 
         return send_file(ret)