Security issue fix for /static-files/{path} endpoint (#1003)

* Fix security issue when incorrect path is given to the endpoint that serves static files which can lead to a leak of non wanted files (e.g. /static-files/../../../../etc/passwd)
aimhubio · Nov 15, 2021 · b9e53df · b9e53df
1 parent 0b99c6c
commit b9e53df
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/aim/web/api/views.py b/aim/web/api/views.py
@@ -1,15 +1,23 @@
 import os
+from pathlib import Path
 
 from aim.web.api.utils import APIRouter  # wrapper for fastapi.APIRouter
 from fastapi.responses import FileResponse
+from fastapi import HTTPException
 
 statics_router = APIRouter()
 
 
 @statics_router.get('/static-files/{path:path}/')
 async def serve_static_files(path):
     from aim import web
-    static_file_name = os.path.join(os.path.dirname(web.__file__), 'ui', 'build', path)
+    static_files_root = os.path.join(os.path.dirname(web.__file__), 'ui', 'build')
+    static_file_name = '/'.join((static_files_root, path))
+
+    # check if path is leading inside ui/build directory
+    if not Path(static_files_root) in Path(static_file_name).resolve().parents:
+        raise HTTPException(404)
+
     compressed_file_name = '{}.gz'.format(static_file_name)
     if os.path.exists(compressed_file_name):
         return FileResponse(compressed_file_name, headers={'Content-Encoding': 'gzip'})