search

bihealth / sodar-server

SODAR: System for Omics Data Access and Retrieval
https://github.com/bihealth/sodar-server
MIT License
14 stars 3 forks source link

Sanitize iRODS paths in get_row_path() calls #1947

Closed mikkonie closed 2 weeks ago

mikkonie commented 3 weeks ago

I noticed we don't sanitize iRODS paths when calling for get_row_path(). Especially with the implementing of #1946 it should be done, as the user has more freedom for defining data paths.

As the paths get checked when performing any iRODS requests with elevated permissions within SODAR, this is not a major security issue. Still, we might as well prevent users for entering naughty data from the get-go.

We simply need to call irods_backend.sanitize_path() on the results. Relevant calls to get_row_path() are in:

mikkonie commented 2 weeks ago

Done. Also updated the tests a fair bit and discovered #1954.