ensure all paths served are relative to the http root folder

CARTAvis / carta-backend

Source code repository for the backend component of CARTA, a new visualization tool designed for the ALMA, the VLA and the SKA pathfinders.

GNU General Public License v3.0

22 stars 11 forks source link

Description

This PR closes #1242, which is a critical security hole. The solution implemented is:

trim all leading / from the incoming path before appending it to the frontend folder path.
Check that the resultant path (relative to the frontend folder path) contains no instances of "..", meaning it is a subdirectory.

Checklist

[ ] changelog updated / no changelog update needed
[ ] e2e test passing / added corresponding fix
[ ] ~~protobuf updated to the latest dev commit~~ / no protobuf update needed
[ ] added reviewers and assignee
[ ] added ZenHub estimate, milestone, and release

Package	Line Rate	Health
src.Cache	68%	➖
src.DataStream	52%	➖
src.FileList	68%	➖
src.Frame	51%	➖
src.HttpServer	43%	➖
src.ImageData	28%	❌
src.ImageFitter	92%	✔
src.ImageGenerators	52%	➖
src.ImageStats	74%	➖
src.Logger	44%	➖
src.Main	54%	➖
src.Region	22%	❌
src.Session	30%	❌
src.Table	52%	➖
src.ThreadingManager	87%	✔
src.Timer	85%	✔
src.Util	50%	➖
Summary	40% (6763 / 16863)	➖

Package

Line Rate

Health

src.Cache

68%

➖

src.DataStream

52%

➖

src.FileList

68%

➖

src.Frame

51%

➖

src.HttpServer

43%

➖

src.ImageData

28%

❌

src.ImageFitter

92%

✔

src.ImageGenerators

52%

➖

src.ImageStats

74%

➖

src.Logger

44%

➖

src.Main

54%

➖

src.Region

22%

❌

src.Session

30%

❌

src.Table

52%

➖

src.ThreadingManager

87%

✔

src.Timer

85%

✔

src.Util

50%

➖

Summary

40% (6763 / 16863)

➖

CARTAvis / carta-backend

ensure all paths served are relative to the http root folder #1243