haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-04-28 03:10:45 +00:00
Code Issues Releases Wiki Activity

Potential fix for code scanning alert no. 195: Uncontrolled data used in path expression

Browse Source 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
lian 2025-03-29 18:09:15 +08:00 committed by GitHub
parent 30e3c30ce8
commit f8c90e5cdb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
seahub/api2/endpoints/admin/logs_export.py
View File

@ -71,12 +71,16 @@ def sys_log_export_excel(request):
error_msg = 'log_type invalid'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
target_dir = os.path.join('/tmp/seafile_events/', task_id)
base_dir = '/tmp/seafile_events/'
target_dir = os.path.join(base_dir, task_id)
tmp_excel_path = os.path.join(target_dir, excel_name)
target_dir = os.path.normpath(target_dir)
tmp_excel_path = os.path.normpath(tmp_excel_path)
if not target_dir.startswith(base_dir) or not tmp_excel_path.startswith(base_dir):
return api_error(status.HTTP_400_BAD_REQUEST, 'Invalid path.')
if not os.path.isfile(tmp_excel_path):
return api_error(status.HTTP_400_BAD_REQUEST, excel_name + ' not found.')