UPD: ensure file paths are safe before accessing

nandyalu · Feb 3, 2025 · 66449c5 · 66449c5
1 parent 5cf8439
commit 66449c5
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/backend/api/v1/files.py b/backend/api/v1/files.py
@@ -12,6 +12,8 @@
 
 CHUNK_SIZE = 1024 * 1024 * 5  # 5 MB
 
+UNSAFE_PATHS = [".", "/app", "/bin", "/boot", "/etc", "/lib", "/sbin", "/usr", "/var"]
+
 
 def _is_path_safe(path: str) -> bool:
     """Check if the path is safe.\n
@@ -20,6 +22,10 @@ def _is_path_safe(path: str) -> bool:
     Returns:
         bool: True if the path is safe, False otherwise."""
     abs_path = os.path.abspath(path)
+    # Check if path is in unsafe paths
+    for unsafe_path in UNSAFE_PATHS:
+        if abs_path.startswith(unsafe_path):
+            return False
     # Check if path is atleast 3 levels deep
     if abs_path.count("/") < 3:
         return False