tdpeuter/open-webui
tdpeuter/open-webui
1
Fork 0
forked from open-webui/open-webui
Code Issues Pull requests 1 Projects 1 Releases 2 Packages 1 Activity Actions

Merge pull request from GHSA-9pgh-j74g-qj6m

Browse source 
Suggested mitigation for KL-CAN-2024-002.
This commit is contained in:
Timothy Jaeryang Baek 2024-04-01 15:21:56 -07:00 committed by GitHub
commit 83c7633acb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

19
backend/apps/rag/main.py
View file

@ -448,8 +448,25 @@ def store_doc(
log.info(f"file.content_type: {file.content_type}") log.info(f"file.content_type: {file.content_type}")
try: try:
is_valid_filename = True
unsanitized_filename = file.filename
if not unsanitized_filename.isascii():
is_valid_filename = False
unvalidated_file_path = f"{UPLOAD_DIR}/{unsanitized_filename}"
dereferenced_file_path = str(Path(unvalidated_file_path).resolve(strict=False))
if not dereferenced_file_path.startswith(UPLOAD_DIR):
is_valid_filename = False
if is_valid_filename:
file_path = dereferenced_file_path
else:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=ERROR_MESSAGES.DEFAULT(),
)
filename = file.filename filename = file.filename
file_path = f"{UPLOAD_DIR}/{filename}"
contents = file.file.read() contents = file.file.read()
with open(file_path, "wb") as f: with open(file_path, "wb") as f:
f.write(contents) f.write(contents)