Sanitize user input in FileProvider

GeoWerkstatt · May 3, 2024 · 83a4424 · 83a4424
1 parent 832dca1
commit 83a4424
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 10 deletions.
diff --git a/src/Geopilot.Api/Controllers/ValidationController.cs b/src/Geopilot.Api/Controllers/ValidationController.cs
@@ -167,9 +167,7 @@ public IActionResult GetStatus(Guid jobId)
     [SwaggerResponse(StatusCodes.Status404NotFound, "The job or log file cannot be found.", typeof(ProblemDetails), new[] { "application/json" })]
     public IActionResult Download(Guid jobId, string file)
     {
-        var sanitizedFilename = file.SanitizeFileName();
-
-        logger.LogInformation("Download file <{File}> for job <{JobId}> requested.", HttpUtility.HtmlEncode(sanitizedFilename), jobId);
+        logger.LogInformation("Download file <{File}> for job <{JobId}> requested.", HttpUtility.HtmlEncode(file), jobId);
         fileProvider.Initialize(jobId);
 
         var validationJob = validationService.GetJob(jobId);
@@ -179,15 +177,15 @@ public IActionResult Download(Guid jobId, string file)
             return Problem($"No job information available for job id <{jobId}>", statusCode: StatusCodes.Status404NotFound);
         }
 
-        if (!fileProvider.Exists(sanitizedFilename))
+        if (!fileProvider.Exists(file))
         {
-            logger.LogTrace("No log file <{File}> found for job id <{JobId}>", HttpUtility.HtmlEncode(sanitizedFilename), jobId);
-            return Problem($"No log file <{sanitizedFilename}> found for job id <{jobId}>", statusCode: StatusCodes.Status404NotFound);
+            logger.LogTrace("No log file <{File}> found for job id <{JobId}>", HttpUtility.HtmlEncode(file), jobId);
+            return Problem($"No log file <{file}> found for job id <{jobId}>", statusCode: StatusCodes.Status404NotFound);
         }
 
-        var logFile = fileProvider.Open(sanitizedFilename);
-        var contentType = contentTypeProvider.GetContentTypeAsString(sanitizedFilename);
-        var logFileName = Path.GetFileNameWithoutExtension(validationJob.OriginalFileName) + "_log" + Path.GetExtension(sanitizedFilename);
+        var logFile = fileProvider.Open(file);
+        var contentType = contentTypeProvider.GetContentTypeAsString(file);
+        var logFileName = Path.GetFileNameWithoutExtension(validationJob.OriginalFileName) + "_log" + Path.GetExtension(file);
         return File(logFile, contentType, logFileName);
     }
 }
diff --git a/src/Geopilot.Api/FileAccess/PhysicalFileProvider.cs b/src/Geopilot.Api/FileAccess/PhysicalFileProvider.cs
@@ -44,7 +44,7 @@ public Stream Open(string file)
     /// <inheritdoc/>
     public bool Exists(string file)
     {
-        return File.Exists(Path.Combine(HomeDirectory.FullName, file));
+        return File.Exists(Path.Combine(HomeDirectory.FullName, file.SanitizeFileName()));
     }
 
     /// <inheritdoc/>