fix: harden path validation to prevent sibling directory bypass

Append os.sep to the directory path before startswith() check so that
paths like /app/data/uploads_evil/ cannot bypass the uploads directory
validation.
This commit is contained in:
Luis Novo 2026-04-09 12:05:38 -03:00
parent 70a466a640
commit 2f75c5978c

View file

@ -63,7 +63,7 @@ def generate_unique_filename(original_filename: str, upload_folder: str) -> str:
full_path = file_path / new_filename
# Verify resolved path stays within upload folder
resolved = full_path.resolve()
if not str(resolved).startswith(str(file_path.resolve())):
if not str(resolved).startswith(str(file_path.resolve()) + os.sep):
raise ValueError("Invalid filename: path traversal detected")
if not resolved.exists():
return str(resolved)
@ -337,7 +337,7 @@ async def create_source(
# Validate file_path is within the uploads directory to prevent LFI
uploads_resolved = Path(UPLOADS_FOLDER).resolve()
file_resolved = Path(final_file_path).resolve()
if not str(file_resolved).startswith(str(uploads_resolved)):
if not str(file_resolved).startswith(str(uploads_resolved) + os.sep):
raise HTTPException(
status_code=400,
detail="Invalid file path: must be within the uploads directory",