mirror
/
OpenDroneMap-WebODM
kopia lustrzana https://github.com/OpenDroneMap/WebODM
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

Added error checking with raising NodeServerError

pull/1070/head
teslov 2021-10-11 20:21:11 +03:00
rodzic 984415d6dd
commit cd0f1dedee
1 zmienionych plików z 9 dodań i 6 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

15
app/models/task.py
Wyświetl plik

@ -19,7 +19,7 @@ from django.contrib.gis.gdal import GDALRaster
from django.contrib.gis.gdal import OGRGeometry from django.contrib.gis.gdal import OGRGeometry
from django.contrib.gis.geos import GEOSGeometry from django.contrib.gis.geos import GEOSGeometry
from django.contrib.postgres import fields from django.contrib.postgres import fields
from django.core.exceptions import ValidationError from django.core.exceptions import ValidationError, SuspiciousFileOperation
from django.db import models from django.db import models
from django.db import transaction from django.db import transaction
from django.db import connection from django.db import connection
@ -463,16 +463,19 @@ class Task(models.Model):
self.save() self.save()
zip_path = self.assets_path("all.zip") zip_path = self.assets_path("all.zip")
# Import assets file from mounted system volume (media-dir)/imports, or from inside docker container. # Import assets file from mounted system volume (media-dir)/imports by relative path.
# Import file from system in case of system installation. # Import file from relative path.
if self.import_url and not os.path.exists(zip_path): if self.import_url and not os.path.exists(zip_path):
if self.import_url.startswith("file://"): if self.import_url.startswith("file://"):
imports_folder_path = os.path.join(settings.MEDIA_ROOT, "imports") imports_folder_path = os.path.join(settings.MEDIA_ROOT, "imports")
unsafe_path_to_import_file = os.path.join(settings.MEDIA_ROOT, "imports", self.import_url.replace("file://", "")) unsafe_path_to_import_file = os.path.join(settings.MEDIA_ROOT, "imports", self.import_url.replace("file://", ""))
# check is file placed in shared media folder in /imports directory without traversing # check is file placed in shared media folder in /imports directory without traversing
checked_path_to_file = path_traversal_check(unsafe_path_to_import_file, imports_folder_path) try:
if os.path.isfile(checked_path_to_file): checked_path_to_file = path_traversal_check(unsafe_path_to_import_file, imports_folder_path)
copyfile(checked_path_to_file, zip_path) if os.path.isfile(checked_path_to_file):
copyfile(checked_path_to_file, zip_path)
except SuspiciousFileOperation as e:
raise NodeServerError(e)
else: else:
try: try:
# TODO: this is potentially vulnerable to a zip bomb attack # TODO: this is potentially vulnerable to a zip bomb attack