From 18798c5b640018aaee924e0afd941705d88df92e Mon Sep 17 00:00:00 2001 From: Timothy Carambat Date: Fri, 29 Sep 2023 20:04:47 +0200 Subject: [PATCH] prevent deletion of documents not in hotdir via director traversal (#258) resolves #257 --- collector/api.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/collector/api.py b/collector/api.py index 71d3af59..abe61639 100644 --- a/collector/api.py +++ b/collector/api.py @@ -1,3 +1,4 @@ +import os from flask import Flask, json, request from scripts.watch.process_single import process_single from scripts.watch.filetypes import ACCEPTED_MIMES @@ -7,7 +8,7 @@ WATCH_DIRECTORY = "hotdir" @api.route('/process', methods=['POST']) def process_file(): content = request.json - target_filename = content.get('filename') + target_filename = os.path.normpath(content.get('filename')).lstrip(os.pardir + os.sep) print(f"Processing {target_filename}") success, reason = process_single(WATCH_DIRECTORY, target_filename) return json.dumps({'filename': target_filename, 'success': success, 'reason': reason})