Merge pull request from GHSA-pf2h-qjcr-qvq2

Open-MSS · Feb 8, 2024 · f230337 · f230337
1 parent 75a1e48
commit f230337
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/mslib/index.py b/mslib/index.py
@@ -29,6 +29,7 @@
 import os
 import codecs
 import mslib
+import werkzeug
 
 from flask import render_template
 from flask import send_from_directory, send_file, url_for
@@ -161,11 +162,15 @@ def plots():
     @APP.route("/mss/code/<path:filename>")
     def code(filename):
         download = request.args.get("download", False)
-        _file = os.path.join(STATIC_LOCATION, 'code', filename)
+        _file = werkzeug.security.safe_join(STATIC_LOCATION, "code", filename)
+        if _file is None:
+            abort(404)
         content = get_content(_file)
         if not download:
             return render_template("/content.html", act="code", content=content)
         else:
+            if not os.path.isfile(_file):
+                abort(404)
             with open(_file) as f:
                 text = f.read()
             return Response("".join([s.replace("\t", "", 1) for s in text.split("```python")[-1]

diff --git a/mslib/mscolab/server.py b/mslib/mscolab/server.py
@@ -34,6 +34,8 @@
 import os
 import socketio
 import sqlalchemy.exc
+import werkzeug
+
 from itsdangerous import URLSafeTimedSerializer, BadSignature
 from flask import g, jsonify, request, render_template, flash
 from flask import send_from_directory, abort, url_for
@@ -378,7 +380,7 @@ def uploads(name=None, filename=None):
         abort(404)
     if filename is None:
         abort(404)
-    return send_from_directory(fs.path.join(base_path, name), filename)
+    return send_from_directory(base_path, werkzeug.security.safe_join("", name, filename))
 
 
 # 413: Payload Too Large