Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle suspicious file operations and return a 404. #11596

Merged
merged 1 commit into from
Dec 6, 2023
Merged

Handle suspicious file operations and return a 404. #11596

merged 1 commit into from
Dec 6, 2023

Conversation

rtibbles
Copy link
Member

@rtibbles rtibbles commented Dec 6, 2023
edited
Loading

Summary

  • Django already smartly handles attempts to traverse the file system with URL paths
  • We now catch these errors and return a 404
  • Adds a regression test for this behaviour

References

Fixes #11595

Reviewer guidance

Do the changes make sense? Does the test make sense?

Testing checklist

  • Contributor has fully tested the PR manually
  • If there are any front-end changes, before/after screenshots are included
  • Critical user journeys are covered by Gherkin stories
  • Critical and brittle code paths are covered by unit tests

PR process

  • PR has the correct target branch and milestone
  • PR has 'needs review' or 'work-in-progress' label
  • If PR is ready for review, a reviewer has been added. (Don't use 'Assignees')
  • If this is an important user-facing change, PR or related issue has a 'changelog' label
  • If this includes an internal dependency change, a link to the diff is provided

Reviewer checklist

  • Automated test coverage is satisfactory
  • PR is fully functional
  • PR has been tested for accessibility regressions
  • External dependency files were updated if necessary (yarn and pip)
  • Documentation is updated
  • Contributor is in AUTHORS.md

@rtibbles rtibbles added the DEV: backend Python, databases, networking, filesystem... label Dec 6, 2023
@rtibbles rtibbles requested a review from jredrejo December 6, 2023 16:39
jredrejo
jredrejo approved these changes Dec 6, 2023
View reviewed changes
Copy link
Member

@jredrejo jredrejo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 6, 2023

Build Artifacts

Asset type Download link
PEX file kolibri-0.16.0b9.dev0_git.48.g03e3c0f2.pex
Windows Installer (EXE) kolibri-0.16.0b9.dev0+git.48.g03e3c0f2-unsigned.exe
Debian Package kolibri_0.16.0b9.dev0+git.48.g03e3c0f2-0ubuntu1_all.deb
Mac Installer (DMG) kolibri-0.16.0b9.dev0+git.48.g03e3c0f2-0.3.0.dmg
Android Package (APK) kolibri-0.16.0b9.dev0+git.48.g03e3c0f2-0.1.0-debug.apk
TAR file kolibri-0.16.0b9.dev0+git.48.g03e3c0f2.tar.gz
WHL file kolibri-0.16.0b9.dev0+git.48.g03e3c0f2-py2.py3-none-any.whl

@rtibbles rtibbles merged commit b7794aa into learningequality:release-v0.16.x Dec 6, 2023
34 checks passed
@rtibbles rtibbles deleted the we_cant_go_on_together_with_suspicious_files branch December 6, 2023 18:39
@rtibbles rtibbles mentioned this pull request Jan 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jredrejo jredrejo jredrejo approved these changes

Assignees
No one assigned
Labels
DEV: backend Python, databases, networking, filesystem... SIZE: small
Projects
None yet
Milestone
Kolibri 0.16.0: Bugs and Regressions
Development

Successfully merging this pull request may close these issues.

Handle SuspiciousFileOperations in kolibri_whitenoise and return a 404
2 participants
@rtibbles @jredrejo