Check for traversal on backup delete

2024-08-30 18:23:09 +00:00 · 2024-07-08 22:06:29 -04:00 · 2024-07-08 22:06:29 -04:00 · a3e210c0d3
commit a3e210c0d3
parent 9186d9b02c
1 changed files with 8 additions and 0 deletions
--- a/app/classes/web/routes/api/servers/server/backups/backup/index.py
+++ b/app/classes/web/routes/api/servers/server/backups/backup/index.py
@ -414,6 +414,14 @@ class ApiServersServerBackupsBackupFilesIndexHandler(BaseApiHandler):
                    "error_data": str(e),
                },
            )
+        self.helper.validate_traversal(
+            os.path.join(backup_conf["backup_location"], backup_conf["backup_id"]),
+            os.path.join(
+                backup_conf["backup_location"],
+                backup_conf["backup_id"],
+                data["filename"],
+            ),
+        )
        try:
            FileHelpers.del_file(
                os.path.join(