add resolve and check to pathing

e-m-b-a · Jun 20, 2024 · 355a466 · 355a466
1 parent 66f396d
commit 355a466
Showing 1 changed file with 13 additions and 11 deletions.
diff --git a/embark/reporter/views.py b/embark/reporter/views.py
@@ -98,17 +98,19 @@ def html_report_download(request, analysis_id, html_path, download_file):
     if FirmwareAnalysis.objects.filter(id=analysis_id).exists():
         analysis = FirmwareAnalysis.objects.get(id=analysis_id)
         if analysis.hidden is False or analysis.user == request.user or request.user.is_superuser:
-            resource_path = Path(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_path}/{download_file}')
-            try:
-                with open(resource_path, 'rb') as requested_file:
-                    response = HttpResponse(requested_file.read(), content_type="text/plain")
-                    response['Content-Disposition'] = 'attachment; filename=' + download_file
-                    logger.info("html_report - analysis_id: %s html_path: %s download_file: %s", analysis_id, html_path,
-                                download_file)
-            except FileNotFoundError:
-                messages.error(request, "File not found on the server")
-                logger.error("Couldn't find %s", resource_path)
-                response = HttpResponse("Couldn't find %s", resource_path)
+            resource_path = os.path.abspath(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/{html_path}/{download_file}')
+            parent_path = os.path.abspath(f'{settings.EMBA_LOG_ROOT}/{analysis_id}/emba_logs/html-report/')
+            if os.path.commonpath([parent_path, resource_path]) == parent_path:
+                try:
+                    with open(resource_path, 'rb') as requested_file:
+                        response = HttpResponse(requested_file.read(), content_type="text/plain")
+                        response['Content-Disposition'] = 'attachment; filename=' + download_file
+                        logger.info("html_report - analysis_id: %s html_path: %s download_file: %s", analysis_id, html_path,
+                                    download_file)
+                except FileNotFoundError:
+                    messages.error(request, "File not found on the server")
+                    logger.error("Couldn't find %s", resource_path)
+                    response = HttpResponse("Couldn't find %s", resource_path)
     return response