Skip to content

Commit

Permalink
fix: don't serve static files outside of dir packages
Browse files Browse the repository at this point in the history
  • Loading branch information
MHajoha committed Oct 31, 2024
1 parent 66b7b20 commit 8c1cd3b
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 2 deletions.
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ description = "QuestionPy application server"
authors = ["Technische Universität Berlin, innoCampus <[email protected]>"]
license = "MIT"
homepage = "https://questionpy.org"
version = "0.3.0"
version = "0.3.1"
packages = [
{ include = "questionpy_common" },
{ include = "questionpy_server" }
Expand Down
8 changes: 7 additions & 1 deletion questionpy_server/worker/impl/_base.py
Original file line number Diff line number Diff line change
Expand Up @@ -288,7 +288,13 @@ def _get_static_file_sync(self, path: str, manifest: Manifest) -> PackageFileDat
return PackageFileData(zipinfo.file_size, manifest_entry.mime_type, zip_file.read(dist_path))

elif isinstance(self.package, DirPackageLocation):
full_path: Path = self.package.path / path
full_path: Path = (self.package.path / path).resolve()

if not full_path.is_relative_to(self.package.path):
log.info("Refusing to serve static file '%s', which lies outside the package (resolves to '%s')",
path, full_path)
raise FileNotFoundError(path)

try:
real_size = full_path.stat().st_size
except FileNotFoundError:
Expand Down

0 comments on commit 8c1cd3b

Please sign in to comment.