dubey/foldsite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

uhhh lots of things
All checks were successful
Datadog Software Composition Analysis / Datadog SBOM Generation and Upload (push) Successful in 16s
Details
Datadog Secrets Scanning / Datadog Static Analyzer (push) Successful in 14s
Details
Datadog Static Analysis / Datadog Static Analyzer (push) Successful in 24s
Details

Browse Source
This commit is contained in:
Tanishq Dubey
2025-03-08 11:17:24 -05:00
parent 0a6d5b8a90
commit c6f36d0408
7 changed files with 222 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
src/routes/routes.py
View File

@ -1,7 +1,7 @@
from pathlib import Path
from src.config.config import Configuration
from src.rendering.renderer import render_page, render_error_page
from flask import send_file
from flask import send_file
from src.rendering.image import generate_thumbnail
from functools import lru_cache
import os
@ -11,7 +11,6 @@ class RouteManager:
def __init__(self, config: Configuration):
self.config = config
def _validate_and_sanitize_path(self, base_dir, requested_path):
"""
Validate and sanitize the requested path to ensure it does not traverse above the base directory.
@ -21,11 +20,11 @@ class RouteManager:
:return: A secure version of the requested path if valid, otherwise None.
"""
# Normalize both paths
base_dir = os.path.abspath(base_dir)
requested_path = os.path.abspath(requested_path)
base_dir = Path(base_dir)
requested_path: Path = base_dir / requested_path
# Check if the requested path is within the base directory
if not requested_path.startswith(base_dir):
if requested_path < base_dir:
return None
# Ensure the path does not contain any '..' or '.' components
@ -33,32 +32,33 @@ class RouteManager:
secure_path_parts = secure_path.split(os.sep)
for part in secure_path_parts:
if part == '.' or part == '..':
if part == "." or part == "..":
print("Illegal path nice try")
return None
# Reconstruct the secure path
secure_path = os.path.join(base_dir, *secure_path_parts)
secure_path = Path(secure_path)
# Check if path exists
if not secure_path.exists():
raise Exception("Illegal path")
for part in secure_path.parts:
if part.startswith("___"):
print("hidden file")
raise Exception("Illegal path")
return secure_path
def _ensure_route(self, path: str):
"""
Escapes the path for anything like
a path execution or injection attack
evaluates the path and ensures that it it does not
go above the self.content.content_dir
If any part of the path contains __, __{foldername}, or __{filename},
that is a hidden file or folder and should raise an exception
Any illegal path should raise an exception
"""
file_path: Path = self.config.content_dir / (path if path else "index.md")
if file_path < self.config.content_dir:
raise Exception("Illegal path")
for part in file_path.parts:
if part.startswith("__"):
raise Exception("Illegal path")
if not self._validate_and_sanitize_path(self.config.content_dir, str(file_path)):
if not self._validate_and_sanitize_path(
self.config.content_dir, str(file_path)
):
raise Exception("Illegal path")
def default_route(self, path: str):
@ -80,6 +80,15 @@ class RouteManager:
)
def get_style(self, path: str):
try:
self._validate_and_sanitize_path(self.config.styles_dir, path)
except Exception as e:
return render_error_page(
404,
"Not Found",
f"The requested resource was not found on this server. {e}",
self.config.templates_dir,
)
file_path: Path = self.config.styles_dir / path
if file_path.exists():
return send_file(file_path)
@ -91,8 +100,16 @@ class RouteManager:
self.config.templates_dir,
)
@lru_cache(maxsize=None)
def get_static(self, path: str):
try:
self._validate_and_sanitize_path(self.config.content_dir, path)
except Exception as e:
return render_error_page(
404,
"Not Found",
"The requested resource was not found on this server.",
self.config.templates_dir,
)
file_path: Path = self.config.content_dir / path
if file_path.exists():
# Check to see if the file is an image, if it is, render a thumbnail