file_manager: disallow requests for paths outside of a root

Signed-off-by: Eric Callahan <arksine.code@gmail.com>
2021-05-25 19:37:46 -04:00 · 2021-05-25 19:37:46 -04:00 · 3d0d1e1dcb
parent 5f7cff9af8
commit 3d0d1e1dcb
1 changed files with 11 additions and 4 deletions
--- a/moonraker/components/file_manager.py
+++ b/moonraker/components/file_manager.py
@ -317,10 +317,14 @@ class FileManager:
        root = parts[0]
        if root not in self.file_paths:
            raise self.server.error(f"Invalid root path ({root})")
-        disk_path = self.file_paths[root]
+        root_path = dest_path = self.file_paths[root]
        if len(parts) > 1:
-            disk_path = os.path.join(disk_path, parts[1])
-        return root, disk_path
+            dest_path = os.path.abspath(os.path.join(dest_path, parts[1]))
+            if not dest_path.startswith(root_path):
+                raise self.server.error(
+                    f"Invalid path request, '{request_path}'' is outside "
+                    f"root '{root}'")
+        return root, dest_path

    async def _handle_file_move_copy(self,
                                     web_request: WebRequest
@ -677,7 +681,10 @@ class FileManager:
                raise self.server.error(
                    f"Path not available for DELETE: {path}", 405)
            root_path = self.file_paths[root]
-            full_path = os.path.join(root_path, filename)
+            full_path = os.path.abspath(os.path.join(root_path, filename))
+            if not full_path.startswith(root_path):
+                raise self.server.error(
+                    f"Delete request on file outside of root: {path}")
            if not os.path.isfile(full_path):
                raise self.server.error(f"Invalid file path: {path}")
            try: