diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index 65bc853a..489115ae 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -507,9 +507,9 @@ class Helpers: return mounts - def is_subdir(self, server_path, root_dir): - server_path = os.path.realpath(server_path) - root_dir = os.path.realpath(root_dir) + def is_subdir(self, child_path, parent_path): + server_path = os.path.realpath(child_path) + root_dir = os.path.realpath(parent_path) if self.is_os_windows(): try: @@ -1244,22 +1244,6 @@ class Helpers: return temp_dir return False - @staticmethod - def in_path(parent_path, child_path): - # Smooth out relative path names, note: if you are concerned about - # symbolic links, you should use os.path.realpath too - parent_path = os.path.abspath(parent_path) - child_path = os.path.abspath(child_path) - - # Compare the common path of the parent and child path with the - # common path of just the parent path. Using the commonpath method - # on just the parent path will regularise the path name in the same way - # as the comparison that deals with both paths, removing any trailing - # path separator - return os.path.commonpath([parent_path]) == os.path.commonpath( - [parent_path, child_path] - ) - @staticmethod def download_file(executable_url, jar_path): try: diff --git a/app/classes/web/ajax_handler.py b/app/classes/web/ajax_handler.py index e3da33a8..9983f4fa 100644 --- a/app/classes/web/ajax_handler.py +++ b/app/classes/web/ajax_handler.py @@ -656,13 +656,14 @@ class AjaxHandler(BaseHandler): server_info = self.controller.servers.get_server_data_by_id(server_id) if not ( - Helpers.in_path( - Helpers.get_os_understandable_path(server_info["path"]), file_path + file_path, + Helpers.is_subdir( + Helpers.get_os_understandable_path(server_info["path"]) ) - or Helpers.in_path( - Helpers.get_os_understandable_path(server_info["backup_path"]), + or Helpers.is_subdir( file_path, - ) + Helpers.get_os_understandable_path(server_info["backup_path"]), + ), ) or not Helpers.check_file_exists(os.path.abspath(file_path)): logger.warning(f"Invalid path in del_backup ajax call ({file_path})") Console.warning(f"Invalid path in del_backup ajax call ({file_path})") diff --git a/app/classes/web/file_handler.py b/app/classes/web/file_handler.py index 5cf4df9e..ac5d2bf0 100644 --- a/app/classes/web/file_handler.py +++ b/app/classes/web/file_handler.py @@ -57,11 +57,11 @@ class FileHandler(BaseHandler): return server_id = bleach.clean(server_id) - if not Helpers.in_path( + if not Helpers.is_subdir( + file_path, Helpers.get_os_understandable_path( self.controller.servers.get_server_data_by_id(server_id)["path"] ), - file_path, ) or not Helpers.check_file_exists(os.path.abspath(file_path)): logger.warning( f"Invalid path in get_file file file ajax call ({file_path})" @@ -163,11 +163,11 @@ class FileHandler(BaseHandler): return server_id = bleach.clean(server_id) - if not Helpers.in_path( + if not Helpers.is_subdir( + file_path, Helpers.get_os_understandable_path( self.controller.servers.get_server_data_by_id(server_id)["path"] ), - file_path, ) or Helpers.check_file_exists(os.path.abspath(file_path)): logger.warning( f"Invalid path in create_file file ajax call ({file_path})" @@ -196,11 +196,11 @@ class FileHandler(BaseHandler): return server_id = bleach.clean(server_id) - if not Helpers.in_path( + if not Helpers.is_subdir( + dir_path, Helpers.get_os_understandable_path( self.controller.servers.get_server_data_by_id(server_id)["path"] ), - dir_path, ) or Helpers.check_path_exists(os.path.abspath(dir_path)): logger.warning( f"Invalid path in create_dir file ajax call ({dir_path})" @@ -263,12 +263,12 @@ class FileHandler(BaseHandler): server_info = self.controller.servers.get_server_data_by_id(server_id) if not ( - Helpers.in_path( - Helpers.get_os_understandable_path(server_info["path"]), file_path + Helpers.is_subdir( + file_path, Helpers.get_os_understandable_path(server_info["path"]) ) - or Helpers.in_path( - Helpers.get_os_understandable_path(server_info["backup_path"]), + or Helpers.is_subdir( file_path, + Helpers.get_os_understandable_path(server_info["backup_path"]), ) ) or not Helpers.check_file_exists(os.path.abspath(file_path)): logger.warning(f"Invalid path in del_file file ajax call ({file_path})") @@ -296,8 +296,8 @@ class FileHandler(BaseHandler): server_id = bleach.clean(server_id) server_info = self.controller.servers.get_server_data_by_id(server_id) - if not Helpers.in_path( - Helpers.get_os_understandable_path(server_info["path"]), dir_path + if not Helpers.is_subdir( + dir_path, Helpers.get_os_understandable_path(server_info["path"]) ) or not Helpers.check_path_exists(os.path.abspath(dir_path)): logger.warning(f"Invalid path in del_file file ajax call ({dir_path})") Console.warning(f"Invalid path in del_file file ajax call ({dir_path})") @@ -348,11 +348,11 @@ class FileHandler(BaseHandler): return server_id = bleach.clean(server_id) - if not Helpers.in_path( + if not Helpers.is_subdir( + file_path, Helpers.get_os_understandable_path( self.controller.servers.get_server_data_by_id(server_id)["path"] ), - file_path, ) or not Helpers.check_file_exists(os.path.abspath(file_path)): logger.warning( f"Invalid path in save_file file ajax call ({file_path})" @@ -387,11 +387,11 @@ class FileHandler(BaseHandler): Console.warning("Invalid path(s) in rename_file file ajax call") return - if not Helpers.in_path( + if not Helpers.is_subdir( + item_path, Helpers.get_os_understandable_path( self.controller.servers.get_server_data_by_id(server_id)["path"] ), - item_path, ) or not Helpers.check_path_exists(os.path.abspath(item_path)): logger.warning( f"Invalid old name path in rename_file file ajax call ({server_id})" @@ -403,11 +403,11 @@ class FileHandler(BaseHandler): new_item_path = os.path.join(os.path.split(item_path)[0], new_item_name) - if not Helpers.in_path( + if not Helpers.is_subdir( + new_item_path, Helpers.get_os_understandable_path( self.controller.servers.get_server_data_by_id(server_id)["path"] ), - new_item_path, ) or Helpers.check_path_exists(os.path.abspath(new_item_path)): logger.warning( f"Invalid new name path in rename_file file ajax call ({server_id})" @@ -462,11 +462,11 @@ class FileHandler(BaseHandler): Console.warning("Invalid path(s) in rename_file file ajax call") return - if not Helpers.in_path( + if not Helpers.is_subdir( + item_path, Helpers.get_os_understandable_path( self.controller.servers.get_server_data_by_id(server_id)["path"] ), - item_path, ) or not Helpers.check_path_exists(os.path.abspath(item_path)): logger.warning( f"Invalid old name path in rename_file file ajax call ({server_id})" @@ -478,11 +478,11 @@ class FileHandler(BaseHandler): new_item_path = os.path.join(os.path.split(item_path)[0], new_item_name) - if not Helpers.in_path( + if not Helpers.is_subdir( + new_item_path, Helpers.get_os_understandable_path( self.controller.servers.get_server_data_by_id(server_id)["path"] ), - new_item_path, ) or Helpers.check_path_exists(os.path.abspath(new_item_path)): logger.warning( f"Invalid new name path in rename_file file ajax call ({server_id})" diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index df58263d..bb91eb94 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -821,9 +821,9 @@ class PanelHandler(BaseHandler): Helpers.get_os_understandable_path(server_info["backup_path"]), file ) ) - if not Helpers.in_path( - Helpers.get_os_understandable_path(server_info["backup_path"]), + if not Helpers.is_subdir( backup_file, + Helpers.get_os_understandable_path(server_info["backup_path"]), ) or not os.path.isfile(backup_file): self.redirect("/panel/error?error=Invalid path detected") return @@ -1476,8 +1476,9 @@ class PanelHandler(BaseHandler): server_info = self.controller.servers.get_server_data_by_id(server_id) - if not Helpers.in_path( - Helpers.get_os_understandable_path(server_info["path"]), file + if not Helpers.is_subdir( + file, + Helpers.get_os_understandable_path(server_info["path"]), ) or not os.path.isfile(file): self.redirect("/panel/error?error=Invalid path detected") return diff --git a/app/classes/web/upload_handler.py b/app/classes/web/upload_handler.py index 39752a35..e23db114 100644 --- a/app/classes/web/upload_handler.py +++ b/app/classes/web/upload_handler.py @@ -278,11 +278,11 @@ class UploadHandler(BaseHandler): filename = self.request.headers.get("X-FileName", None) full_path = os.path.join(path, filename) - if not Helpers.in_path( + if not Helpers.is_subdir( + full_path, Helpers.get_os_understandable_path( self.controller.servers.get_server_data_by_id(server_id)["path"] ), - full_path, ): logger.warning( f"User {user_id} tried to upload a file to {server_id} "