Path traversal check

2024-06-14 11:29:26 +00:00 · 2021-10-26 15:41:14 -04:00 · 2021-10-26 15:41:14 -04:00 · a1244b9e3e
parent d12c81b773
commit a1244b9e3e
3 changed files with 24 additions and 5 deletions
--- a/app/app.py
+++ b/app/app.py
@ -12,7 +12,7 @@ from flask_swagger_ui import get_swaggerui_blueprint
 from translatehtml import translate_html
 from werkzeug.utils import secure_filename

-from app import flood, remove_translated_files
+from app import flood, remove_translated_files, security
 from app.language import detect_languages, transliterate
 from .api_keys import Database
 from .suggestions import Database as SuggestionsDatabase
@ -621,10 +621,15 @@ def create_app(args):
        Download a translated file
        """
        if args.disable_files_translation:
-            abort(403, description="Files translation are disabled on this server.")
-
-
+            abort(400, description="Files translation are disabled on this server.")
+        
        filepath = os.path.join(get_upload_dir(), filename)
+        try:
+            checked_filepath = security.path_traversal_check(filepath, get_upload_dir())
+            if os.path.isfile(checked_filepath):
+                filepath = checked_filepath
+        except security.SuspiciousFileOperation:
+            abort(400, description="Invalid filename")

        return_data = io.BytesIO()
        with open(filepath, 'rb') as fo:
--- a/app/security.py
+++ b/app/security.py
@ -0,0 +1,14 @@
+import os
+
+class SuspiciousFileOperation(Exception):
+    pass
+
+def path_traversal_check(unsafe_path, known_safe_path):
+    known_safe_path = os.path.abspath(known_safe_path)
+    unsafe_path = os.path.abspath(unsafe_path)
+
+    if (os.path.commonprefix([known_safe_path, unsafe_path]) != known_safe_path):
+        raise SuspiciousFileOperation("{} is not safe".format(unsafe_path))
+
+    # Passes the check
+    return unsafe_path
--- a/app/templates/index.html
+++ b/app/templates/index.html
@ -175,7 +175,7 @@
                        <div class="row" v-if="translationType === 'files'">
                            <div class="file-dropzone">
                                <div v-if="inputFile === false" class="dropzone-content">
-                                    <span>Supported file format: [[ supportedFilesFormatFormatted ]]</span>
+                                    <span>Supported file formats: [[ supportedFilesFormatFormatted ]]</span>
                                    <form action="#">
                                        <div class="file-field input-field">
                                            <div class="btn">