frontend: Patch path traversal vulnerability

2026-06-03 06:24:16 -05:00 · 2021-07-06 15:37:22 -05:00 · 2021-07-06 15:37:22 -05:00 · f0792067b7
commit f0792067b7
parent 33d0000c77
1 changed files with 4 additions and 0 deletions
--- a/bemani/frontend/app.py
+++ b/bemani/frontend/app.py
@ -130,6 +130,10 @@ def cacheable(max_age: int) -> Callable:
 def jsx(filename: str) -> Response:
    # Figure out what our update time is to namespace on
    jsxfile = os.path.join(static_location, filename)
+    normalized_path = os.path.normpath(jsxfile)
+    # Check for path traversal exploit
+    if not normalized_path.startswith(static_location):
+        raise IOError()
    mtime = os.path.getmtime(jsxfile)
    namespace = f'{mtime}.{jsxfile}'
    jsx = g.cache.get(namespace)