Skip to content

Commit

Permalink
chore(security): added a few more escapes
Browse files Browse the repository at this point in the history
  • Loading branch information
amunchet committed Sep 16, 2023
1 parent c269afc commit 0fb48c0
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions backend/serve.py
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ def upload(file_type, override_token): # pragma: no cover
"/tmp/{}".format(filename),
"/src/uploads/become/{}.yml".format(filename.replace(".yml", "")),
)
return filename, 200
return escape(filename), 200
os.remove("/tmp/{}".format(filename))
return "File check failed", 522

Expand All @@ -199,7 +199,7 @@ def upload(file_type, override_token): # pragma: no cover
# Chmod
chmod_filename = "/src/uploads/{}/{}".format(file_type, filename)
os.chmod(chmod_filename, 0o600)
return filename, 200
return escape(filename), 200


@app.route("/uploads/<file_type>", methods=["GET"])
Expand Down

0 comments on commit 0fb48c0

Please sign in to comment.