From bacab3b20afdf7bf5503735bfba4e8297216bcb8 Mon Sep 17 00:00:00 2001 From: kodi Date: Sun, 22 Mar 2026 09:52:27 +0100 Subject: [PATCH] fix (security): sluit path traversal in legacy /workloads/ endpoints Drie endpoints gebruikten os.path.join zonder validatie, waardoor een aanvaller buiten WORKLOADS_DIR kon lezen/schrijven. Vervangen door de bestaande _files_safe_join() helper die al door alle /files/ endpoints werd gebruikt. Endpoints: /workloads/read/, /workloads/save-file, /workloads/deploy/ Co-Authored-By: Claude Sonnet 4.6 --- control/app_files.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/control/app_files.py b/control/app_files.py index a3ff889..fa6ed13 100644 --- a/control/app_files.py +++ b/control/app_files.py @@ -44,7 +44,7 @@ def init_files_router(session, podman_api_base: str, workloads_dir: str) -> APIR @router.get("/workloads/read/{filename:path}") def read_workload(filename: str): - path = os.path.join(workloads_dir, filename) + path = _files_safe_join(filename) if not os.path.exists(path): raise HTTPException(404) with open(path, 'r') as f: @@ -55,7 +55,7 @@ def init_files_router(session, podman_api_base: str, workloads_dir: str) -> APIR def save_workload_file(data: dict): path = data.get("path") content = data.get("content") - full_path = os.path.join(workloads_dir, path) + full_path = _files_safe_join(path) os.makedirs(os.path.dirname(full_path), exist_ok=True) with open(full_path, "w") as f: f.write(content) @@ -63,7 +63,7 @@ def init_files_router(session, podman_api_base: str, workloads_dir: str) -> APIR @router.post("/workloads/deploy/{filename:path}") def deploy_workload(filename: str): - path = os.path.join(workloads_dir, filename) + path = _files_safe_join(filename) with open(path, 'r') as f: yaml_content = f.read() url = f"{podman_api_base}/libpod/kube/play"