Page MenuHomeSoftware Heritage
Differential D8945

api, browse: Ensure to sanitize filename passed to django FileResponse
ClosedPublic
Actions

Authored by anlambert on Dec 7 2022, 5:55 PM.

Details

Reviewers
vlorentz
Group Reviewers
Reviewers
Commits
rDWAPPS9a29da9ad689: api, browse: Ensure to sanitize filename passed to django FileResponse
Summary

Django might try to access the file if the value provided to the filename
query parameter of associated views is an absolute path.

Fixes SWH-WEBAPP-4B9

Diff Detail

Repository
rDWAPPS Web applications
Branch
master
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 33177
Build 52012: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 52011: arc lint + arc unit

Event Timeline

anlambert created this revision.Dec 7 2022, 5:55 PM
Herald added a reviewer: Reviewers. · View Herald TranscriptDec 7 2022, 5:55 PM
swh-public-ci added a comment.Dec 7 2022, 6:06 PM

Build is green

Patch application report for D8945 (id=32222)

Rebasing onto 36ce2b462f...

Current branch diff-target is up to date.
Changes applied before test
commit 9a29da9ad68949a46a83828bcd4ea40a217d610e
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Wed Dec 7 17:53:56 2022 +0100

    api, browse: Ensure to sanitize filename passed to django FileResponse
    
    Django might try to access the file if the value provided to the filename
    query parameter of associated views is an absolute path.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/51/ for more details.

Harbormaster completed remote builds in B33177: Diff 32222.Dec 7 2022, 6:06 PM
anlambert requested review of this revision.Dec 7 2022, 6:06 PM
vlorentz accepted this revision.Dec 8 2022, 2:29 AM
This revision is now accepted and ready to land.Dec 8 2022, 2:29 AM
Closed by commit rDWAPPS9a29da9ad689: api, browse: Ensure to sanitize filename passed to django FileResponse (authored by anlambert). · Explain WhyDec 8 2022, 5:21 PM
This revision was automatically updated to reflect the committed changes.
anlambert added a commit: rDWAPPS9a29da9ad689: api, browse: Ensure to sanitize filename passed to django FileResponse.

Revision Contents
Changeset List

PathSizeCoverage (All)Coverage (Touched)
swh/
web/
api/
views/
3 lines94%
Loading...
browse/
tests/
views/
5 lines98%
Loading...
views/
3 lines70%
Loading...

Diff 32222

View Options

swh/web/api/views/content.py

Loading...
View Options

swh/web/browse/tests/views/test_content.py

Loading...
View Options

swh/web/browse/views/content.py

Loading...
About · Developer information · Legal