From 2f75c5978c93836ca4605693786667830135eea4 Mon Sep 17 00:00:00 2001 From: Luis Novo Date: Thu, 9 Apr 2026 12:05:38 -0300 Subject: [PATCH] fix: harden path validation to prevent sibling directory bypass Append os.sep to the directory path before startswith() check so that paths like /app/data/uploads_evil/ cannot bypass the uploads directory validation. --- api/routers/sources.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/routers/sources.py b/api/routers/sources.py index e6d6eff..9c4b745 100644 --- a/api/routers/sources.py +++ b/api/routers/sources.py @@ -63,7 +63,7 @@ def generate_unique_filename(original_filename: str, upload_folder: str) -> str: full_path = file_path / new_filename # Verify resolved path stays within upload folder resolved = full_path.resolve() - if not str(resolved).startswith(str(file_path.resolve())): + if not str(resolved).startswith(str(file_path.resolve()) + os.sep): raise ValueError("Invalid filename: path traversal detected") if not resolved.exists(): return str(resolved) @@ -337,7 +337,7 @@ async def create_source( # Validate file_path is within the uploads directory to prevent LFI uploads_resolved = Path(UPLOADS_FOLDER).resolve() file_resolved = Path(final_file_path).resolve() - if not str(file_resolved).startswith(str(uploads_resolved)): + if not str(file_resolved).startswith(str(uploads_resolved) + os.sep): raise HTTPException( status_code=400, detail="Invalid file path: must be within the uploads directory",