Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uncontrolled data used in path expression #1456

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Uncontrolled data used in path expression #1456

wants to merge 2 commits into from

Conversation

gitworkflows
Copy link
Contributor

To fix the problem, we need to validate the path parameter to ensure it does not allow directory traversal and is contained within the settings.MEDIA_ROOT directory. We can achieve this by normalizing the path using os.path.normpath and then checking if the resulting path starts with settings.MEDIA_ROOT.

  1. Normalize the file_path using os.path.normpath.
  2. Check if the normalized file_path starts with settings.MEDIA_ROOT.
  3. If the check fails, raise an Http404 error.
  4. If the check passes, proceed with the existing logic.

@gitworkflows
Uncontrolled data used in path expression
cb8bc0b 
To fix the problem, we need to validate the path parameter to ensure it does not allow directory traversal and is contained within the settings.MEDIA_ROOT directory. We can achieve this by normalizing the path using os.path.normpath and then checking if the resulting path starts with settings.MEDIA_ROOT.

Normalize the file_path using os.path.normpath.
Check if the normalized file_path starts with settings.MEDIA_ROOT.
If the check fails, raise an Http404 error.
If the check passes, proceed with the existing logic.
@github-actions GitHub Actions
Copy link
Contributor

Woohoo @gitworkflows! 🎉 You've just dropped some hot new code! 🔥

Hang tight while we review this! You rock! 🤘

@gitworkflows
Information exposure through an exception
1f9308c 
To fix the problem, we need to ensure that detailed exception information is not exposed to the end user. Instead, we should log the exception details on the server and return a generic error message to the user. This can be achieved by modifying the exception handling block to log the error and return a generic response.

- Modify the exception handling block in the `CMSDetector` class to log the exception using the `logger` and return a generic error message.
- Ensure that the logging captures the full stack trace for debugging purposes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gitworkflows