Suggested mitigation for KL-CAN-2024-002.

6c963614 · KoreLogic Disclosures · edeff20e · 6c963614
Unverified Commit 6c963614 authored Apr 01, 2024 by KoreLogic Disclosures
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 1 deletion

backend/apps/rag/main.py backend/apps/rag/main.py +18 -1

No files found.
--- a/backend/apps/rag/main.py
+++ b/backend/apps/rag/main.py
@@ -448,8 +448,25 @@ def store_doc(
    log.info(f"file.content_type: {file.content_type}")
    try:
+        is_valid_filename = True
+        unsanitized_filename = file.filename
+        if not unsanitized_filename.isascii():
+            is_valid_filename = False
+        unvalidated_file_path  = f"{UPLOAD_DIR}/{unsanitized_filename}"
+        dereferenced_file_path = str(Path(unvalidated_file_path).resolve(strict=False))
+        if not dereferenced_file_path.startswith(UPLOAD_DIR):
+            is_valid_filename = False
+        if is_valid_filename:
+            file_path = dereferenced_file_path
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=ERROR_MESSAGES.DEFAULT(),
+            )
        filename = file.filename
-        file_path = f"{UPLOAD_DIR}/{filename}"
        contents = file.file.read()
        with open(file_path, "wb") as f:
            f.write(contents)