[Security Issue] Apply secure_filename to snapshot_path for security hardening #688
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Seagh0098
approved these changes
Apr 13, 2025
Seagh0098
approved these changes
Apr 13, 2025
|
@ARajgor I'd appreciate it if you could review the unit tests I wrote 🙏 |
|
knock knock |
1 similar comment
|
knock knock |
|
knock knock |
|
knock knock |
How mature |
Why so serious? 😏 |
Seagh0098
approved these changes
Jun 1, 2025
Seagh0098
approved these changes
Jun 1, 2025
|
May I ask how long it will take for the final merge? Also, has the CI process been completed? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
snapshot_pathparameter.This change uses
secure_filenamefromwerkzeug.utilsto sanitize thesnapshot_pathvalue obtained from user input, preventing malicious path traversal or unauthorized file access.Problem
Previously, the
snapshot_pathparameter was used without validation. An attacker could exploit this by passing values like../../etc/passwd, potentially gaining access to sensitive files on the server. This posed a serious path injection security risk.Code Change
The
secure_filenamefunction ensures the input is converted to a safe, valid filename, effectively blocking directory traversal attempts.Test Plan
snapshot_path=../../etc/passwdetc_passwd), preventing unauthorized access