search

stitionai / devika

Devika is an Agentic AI Software Engineer that can understand high-level human instructions, break them down into steps, research relevant information, and write code to achieve the given objective. Devika aims to be a competitive open-source alternative to Devin by Cognition AI.
MIT License
18.5k stars 2.4k forks source link

Security Updates & Patchs #619

Closed alpernae closed 2 months ago

alpernae commented 4 months ago

Description

This pull request includes security updates and patches to address recently discovered vulnerability by @alpernae. The changes aim to enhance the overall security of the application and ensure safe usage for all users.

Vulnerable Filename: https://github.com/stitionai/devika/blob/main/devika.py Vulnerable Line: between 123/127 Vulnerable Endpoint; 

@app.route("/api/get-browser-snapshot", methods=["GET"])
@route_logger(logger)
def browser_snapshot():
    snapshot_path = request.args.get("snapshot_path")
    return send_file(snapshot_path, as_attachment=True)

Patch:


# Security Update!!
@app.route("/api/get-browser-snapshot", methods=["GET"])
@route_logger(logger)
def browser_snapshot():
    # TO-DO: Update allowed paths
    allowed_paths = ["/path/to/snapshots/file1.png", "/path/to/snapshots/file2.jpg"]
    snapshot_path = request.args.get("snapshot_path")
    if snapshot_path in allowed_paths:
        return send_file(snapshot_path, as_attachment=True)
    else:
        return jsonify({"code":403,"reason": "Forbidden Path"}), 403

Security Vulnerability Fix: