Handle suspicious file operations and return a 404.

learningequality · Dec 6, 2023 · 0cc6d65 · 0cc6d65
1 parent fb70ecd
commit 0cc6d65
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 4 deletions.
diff --git a/kolibri/utils/kolibri_whitenoise.py b/kolibri/utils/kolibri_whitenoise.py
@@ -6,6 +6,7 @@
 from wsgiref.headers import Headers
 
 from django.contrib.staticfiles import finders
+from django.core.exceptions import SuspiciousFileOperation
 from django.core.files.storage import FileSystemStorage
 from django.utils._os import safe_join
 from six.moves.urllib.parse import parse_qs
@@ -294,10 +295,13 @@ def find_and_cache_dynamic_file(self, url, remote_baseurl):
         return self.files.get(url)
 
     def get_dynamic_path(self, url):
-        if self.static_prefix is not None and url.startswith(self.static_prefix):
-            return finders.find(url[len(self.static_prefix) :])
-        if self.dynamic_check is not None and self.dynamic_check.match(url):
-            return self.dynamic_finder.find(url)
+        try:
+            if self.static_prefix is not None and url.startswith(self.static_prefix):
+                return finders.find(url[len(self.static_prefix) :])
+            if self.dynamic_check is not None and self.dynamic_check.match(url):
+                return self.dynamic_finder.find(url)
+        except SuspiciousFileOperation:
+            pass
 
     def candidate_paths_for_url(self, url):
         paths = super(DynamicWhiteNoise, self).candidate_paths_for_url(url)

diff --git a/kolibri/utils/tests/test_kolibri_whitenoise.py b/kolibri/utils/tests/test_kolibri_whitenoise.py
@@ -5,6 +5,7 @@
 
 from kolibri.utils.kolibri_whitenoise import DynamicWhiteNoise
 from kolibri.utils.kolibri_whitenoise import FileFinder
+from kolibri.utils.kolibri_whitenoise import NOT_FOUND
 
 
 def test_file_finder():
@@ -86,3 +87,24 @@ def test_dynamic_whitenoise():
     os.remove(tempdir22tempfilepath)
     os.removedirs(tempdir11)
     os.removedirs(tempdir12)
+
+
+def test_dynamic_whitenoise_suspicious_file():
+    tempdir11 = tempfile.mkdtemp()
+    tempdir12 = tempfile.mkdtemp()
+    prefix1 = "/test"
+    dynamic_whitenoise = DynamicWhiteNoise(
+        MagicMock(),
+        dynamic_locations=[
+            (prefix1, tempdir11),
+            (prefix1, tempdir12),
+        ],
+    )
+    assert (
+        dynamic_whitenoise.find_and_cache_dynamic_file(
+            prefix1 + "/" + tempdir11 + "../../../leet_haxx0r.js", None
+        )
+        is not NOT_FOUND
+    )
+    os.removedirs(tempdir11)
+    os.removedirs(tempdir12)