prevent deletion of documents not in hotdir via director traversal (#258)

resolves #257
2024-07-04 16:20:12 +02:00 · 2023-09-29 20:04:47 +02:00 · 2023-09-29 20:04:47 +02:00 · 18798c5b64
commit 18798c5b64
parent d5b1f84a4c
1 changed files with 2 additions and 1 deletions
--- a/collector/api.py
+++ b/collector/api.py
@ -1,3 +1,4 @@
+import os
 from flask import Flask, json, request
 from scripts.watch.process_single import process_single
 from scripts.watch.filetypes import ACCEPTED_MIMES
@ -7,7 +8,7 @@ WATCH_DIRECTORY = "hotdir"
@api.route('/process', methods=['POST'])
 def process_file():
  content = request.json
-  target_filename = content.get('filename')
+  target_filename = os.path.normpath(content.get('filename')).lstrip(os.pardir + os.sep)
  print(f"Processing {target_filename}")
  success, reason = process_single(WATCH_DIRECTORY, target_filename)
  return json.dumps({'filename': target_filename, 'success': success, 'reason': reason})