search

glasgowcompbio / ms2ldaviz

Substructural discovery in untargeted metabolomics data using LDA topic modelling.
http://ms2lda.org
MIT License
11 stars 8 forks source link

SuspiciousFileOperation when uploading file #169

Closed joewandy closed 3 years ago

joewandy commented 3 years ago

Received below message when trying to upload any file in django. This also shows on the user-side (browser) as bad request 400. 

Environment:

Request Method: POST
Request URL: http://127.0.0.1:8000/uploads/create_experiment/

Django Version: 3.2.4
Python Version: 3.8.10
Installed Applications:
['grappelli',
 'django_markdown2',
 'django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'debug_toolbar',
 'basicviz',
 'annotation',
 'massbank',
 'options',
 'registration',
 'uploads',
 'decomposition',
 'ms1analysis',
 'django_extensions',
 'motifdb']
Installed Middleware:
['debug_toolbar.middleware.DebugToolbarMiddleware',
 'debug_toolbar_force.middleware.ForceDebugToolbarMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware']

Traceback (most recent call last):
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/home/joewandy/git/ms2ldaviz/ms2ldaviz/uploads/views.py", line 26, in create_experiment
    new_experiment.save()
  File "/home/joewandy/git/ms2ldaviz/ms2ldaviz/basicviz/models.py", line 142, in save
    super(Experiment, self).save(*args, **kwargs)
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/db/models/base.py", line 726, in save
    self.save_base(using=using, force_insert=force_insert,
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/db/models/base.py", line 763, in save_base
    updated = self._save_table(
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/db/models/base.py", line 842, in _save_table
    values = [(f, None, (getattr(self, f.attname) if raw else f.pre_save(self, False)))
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/db/models/base.py", line 842, in <listcomp>
    values = [(f, None, (getattr(self, f.attname) if raw else f.pre_save(self, False)))
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/db/models/fields/files.py", line 302, in pre_save
    file.save(file.name, file.file, save=False)
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/db/models/fields/files.py", line 88, in save
    name = self.field.generate_filename(self.instance, name)
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/db/models/fields/files.py", line 321, in generate_filename
    filename = validate_file_name(filename, allow_relative_path=True)
  File "/home/joewandy/.local/share/virtualenvs/ms2ldaviz-yVayVtg0/lib/python3.8/site-packages/django/core/files/utils.py", line 18, in validate_file_name
    raise SuspiciousFileOperation(

Exception Type: SuspiciousFileOperation at /uploads/create_experiment/
Exception Value: Detected path traversal attempt in '/home/joewandy/git/ms2ldaviz/ms2ldaviz/media/experiment_1377/Beer_3_T10_POS.mzML'
joewandy commented 3 years ago

Seems that this is a problem with latest version of django.

As a workaround, I downgraded django to the latest version known to work (==3.0.6), but would be good to investigate this properly