Suggested mitigation for KL-CAN-2024-002.

This commit is contained in:
KoreLogic Disclosures 2024-04-01 15:55:14 -05:00
parent edeff20e1d
commit 6c96361402
No known key found for this signature in database
GPG key ID: 0CA2EC09395691E9

View file

@ -448,8 +448,25 @@ def store_doc(
log.info(f"file.content_type: {file.content_type}") log.info(f"file.content_type: {file.content_type}")
try: try:
is_valid_filename = True
unsanitized_filename = file.filename
if not unsanitized_filename.isascii():
is_valid_filename = False
unvalidated_file_path = f"{UPLOAD_DIR}/{unsanitized_filename}"
dereferenced_file_path = str(Path(unvalidated_file_path).resolve(strict=False))
if not dereferenced_file_path.startswith(UPLOAD_DIR):
is_valid_filename = False
if is_valid_filename:
file_path = dereferenced_file_path
else:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=ERROR_MESSAGES.DEFAULT(),
)
filename = file.filename filename = file.filename
file_path = f"{UPLOAD_DIR}/{filename}"
contents = file.file.read() contents = file.file.read()
with open(file_path, "wb") as f: with open(file_path, "wb") as f:
f.write(contents) f.write(contents)