Page MenuHomeSoftware Heritage

api, browse: Ensure to sanitize filename passed to django FileResponse
ClosedPublic

Authored by anlambert on Dec 7 2022, 5:55 PM.

Details

Summary

Django might try to access the file if the value provided to the filename
query parameter of associated views is an absolute path.

Fixes SWH-WEBAPP-4B9

Diff Detail

Repository
rDWAPPS Web applications
Branch
master
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 33177
Build 52012: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 52011: arc lint + arc unit

Event Timeline

Build is green

Patch application report for D8945 (id=32222)

Rebasing onto 36ce2b462f...

Current branch diff-target is up to date.
Changes applied before test
commit 9a29da9ad68949a46a83828bcd4ea40a217d610e
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Wed Dec 7 17:53:56 2022 +0100

    api, browse: Ensure to sanitize filename passed to django FileResponse
    
    Django might try to access the file if the value provided to the filename
    query parameter of associated views is an absolute path.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/51/ for more details.

This revision is now accepted and ready to land.Dec 8 2022, 2:29 AM