From 8c1cd3bb169fd87af24f17968d8abb78766322f0 Mon Sep 17 00:00:00 2001
From: Maximilian Haye <m.haye@tu-berlin.de>
Date: Thu, 31 Oct 2024 13:25:40 +0100
Subject: [PATCH] fix: don't serve static files outside of dir packages

---
 pyproject.toml                         | 2 +-
 questionpy_server/worker/impl/_base.py | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 13fc72a..acd3cf2 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -8,7 +8,7 @@ description = "QuestionPy application server"
 authors = ["Technische Universität Berlin, innoCampus <info@isis.tu-berlin.de>"]
 license = "MIT"
 homepage = "https://questionpy.org"
-version = "0.3.0"
+version = "0.3.1"
 packages = [
     { include = "questionpy_common" },
     { include = "questionpy_server" }
diff --git a/questionpy_server/worker/impl/_base.py b/questionpy_server/worker/impl/_base.py
index fd72611..80b721d 100644
--- a/questionpy_server/worker/impl/_base.py
+++ b/questionpy_server/worker/impl/_base.py
@@ -288,7 +288,13 @@ def _get_static_file_sync(self, path: str, manifest: Manifest) -> PackageFileDat
                 return PackageFileData(zipinfo.file_size, manifest_entry.mime_type, zip_file.read(dist_path))
 
         elif isinstance(self.package, DirPackageLocation):
-            full_path: Path = self.package.path / path
+            full_path: Path = (self.package.path / path).resolve()
+
+            if not full_path.is_relative_to(self.package.path):
+                log.info("Refusing to serve static file '%s', which lies outside the package (resolves to '%s')",
+                         path, full_path)
+                raise FileNotFoundError(path)
+
             try:
                 real_size = full_path.stat().st_size
             except FileNotFoundError: