From 0cc6d655143d81f302fa6ce3bf3fcc47c5b9545a Mon Sep 17 00:00:00 2001
From: Richard Tibbles <richard@learningequality.org>
Date: Wed, 6 Dec 2023 08:36:26 -0800
Subject: [PATCH] Handle suspicious file operations and return a 404.

---
 kolibri/utils/kolibri_whitenoise.py           | 12 ++++++----
 .../utils/tests/test_kolibri_whitenoise.py    | 22 +++++++++++++++++++
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/kolibri/utils/kolibri_whitenoise.py b/kolibri/utils/kolibri_whitenoise.py
index d43cdb739d5..379710dfd99 100644
--- a/kolibri/utils/kolibri_whitenoise.py
+++ b/kolibri/utils/kolibri_whitenoise.py
@@ -6,6 +6,7 @@
 from wsgiref.headers import Headers
 
 from django.contrib.staticfiles import finders
+from django.core.exceptions import SuspiciousFileOperation
 from django.core.files.storage import FileSystemStorage
 from django.utils._os import safe_join
 from six.moves.urllib.parse import parse_qs
@@ -294,10 +295,13 @@ def find_and_cache_dynamic_file(self, url, remote_baseurl):
         return self.files.get(url)
 
     def get_dynamic_path(self, url):
-        if self.static_prefix is not None and url.startswith(self.static_prefix):
-            return finders.find(url[len(self.static_prefix) :])
-        if self.dynamic_check is not None and self.dynamic_check.match(url):
-            return self.dynamic_finder.find(url)
+        try:
+            if self.static_prefix is not None and url.startswith(self.static_prefix):
+                return finders.find(url[len(self.static_prefix) :])
+            if self.dynamic_check is not None and self.dynamic_check.match(url):
+                return self.dynamic_finder.find(url)
+        except SuspiciousFileOperation:
+            pass
 
     def candidate_paths_for_url(self, url):
         paths = super(DynamicWhiteNoise, self).candidate_paths_for_url(url)
diff --git a/kolibri/utils/tests/test_kolibri_whitenoise.py b/kolibri/utils/tests/test_kolibri_whitenoise.py
index 40e9dcafedc..67bb034c2a7 100644
--- a/kolibri/utils/tests/test_kolibri_whitenoise.py
+++ b/kolibri/utils/tests/test_kolibri_whitenoise.py
@@ -5,6 +5,7 @@
 
 from kolibri.utils.kolibri_whitenoise import DynamicWhiteNoise
 from kolibri.utils.kolibri_whitenoise import FileFinder
+from kolibri.utils.kolibri_whitenoise import NOT_FOUND
 
 
 def test_file_finder():
@@ -86,3 +87,24 @@ def test_dynamic_whitenoise():
     os.remove(tempdir22tempfilepath)
     os.removedirs(tempdir11)
     os.removedirs(tempdir12)
+
+
+def test_dynamic_whitenoise_suspicious_file():
+    tempdir11 = tempfile.mkdtemp()
+    tempdir12 = tempfile.mkdtemp()
+    prefix1 = "/test"
+    dynamic_whitenoise = DynamicWhiteNoise(
+        MagicMock(),
+        dynamic_locations=[
+            (prefix1, tempdir11),
+            (prefix1, tempdir12),
+        ],
+    )
+    assert (
+        dynamic_whitenoise.find_and_cache_dynamic_file(
+            prefix1 + "/" + tempdir11 + "../../../leet_haxx0r.js", None
+        )
+        is not NOT_FOUND
+    )
+    os.removedirs(tempdir11)
+    os.removedirs(tempdir12)