From 3d0d1e1dcb825f775037d2de4f83c6bdc91ddddf Mon Sep 17 00:00:00 2001
From: Arksine <arksine.code@gmail.com>
Date: Tue, 25 May 2021 19:37:46 -0400
Subject: [PATCH] file_manager: disallow requests for paths outside of a root

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
---
 moonraker/components/file_manager.py | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/moonraker/components/file_manager.py b/moonraker/components/file_manager.py
index 1f1a0f6..fc4beae 100644
--- a/moonraker/components/file_manager.py
+++ b/moonraker/components/file_manager.py
@@ -317,10 +317,14 @@ class FileManager:
         root = parts[0]
         if root not in self.file_paths:
             raise self.server.error(f"Invalid root path ({root})")
-        disk_path = self.file_paths[root]
+        root_path = dest_path = self.file_paths[root]
         if len(parts) > 1:
-            disk_path = os.path.join(disk_path, parts[1])
-        return root, disk_path
+            dest_path = os.path.abspath(os.path.join(dest_path, parts[1]))
+            if not dest_path.startswith(root_path):
+                raise self.server.error(
+                    f"Invalid path request, '{request_path}'' is outside "
+                    f"root '{root}'")
+        return root, dest_path
 
     async def _handle_file_move_copy(self,
                                      web_request: WebRequest
@@ -677,7 +681,10 @@ class FileManager:
                 raise self.server.error(
                     f"Path not available for DELETE: {path}", 405)
             root_path = self.file_paths[root]
-            full_path = os.path.join(root_path, filename)
+            full_path = os.path.abspath(os.path.join(root_path, filename))
+            if not full_path.startswith(root_path):
+                raise self.server.error(
+                    f"Delete request on file outside of root: {path}")
             if not os.path.isfile(full_path):
                 raise self.server.error(f"Invalid file path: {path}")
             try: