Sanitize path to prevent directory traversal

NL-TCH · Mar 8, 2024 · 2cdf6ef · 2cdf6ef
1 parent ef7b67a
commit 2cdf6ef
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/.gitignore b/.gitignore
@@ -5,4 +5,3 @@ yarn-error.log
 includes/config.php
 rootCA.pem
 vendor
-.env
diff --git a/api/modules/wireguard.py b/api/modules/wireguard.py
@@ -1,5 +1,6 @@
 import subprocess
 import re
+import os
 
 def configs():
     #ignore symlinks, because wg0.conf is in production the main config, but in insiders it is a symlink
@@ -24,13 +25,16 @@ def client_config_list(client_config):
     if not re.match(pattern, client_config):
         raise ValueError("Invalid client_config")
 
-    config_path = f"/etc/wireguard/{client_config}"
-    try:
-        with open(config_path, 'r') as f:
-            output = f.read().strip()
-            return output.split('\n')
-    except FileNotFoundError:
+    # sanitize path to prevent directory traversal
+    client_config = os.path.basename(client_config)
+
+    config_path = os.path.join("/etc/wireguard/", client_config)
+    if not os.path.exists(config_path):
         raise FileNotFoundError("Client configuration file not found")
 
+    with open(config_path, 'r') as f:
+        output = f.read().strip()
+        return output.split('\n')
+
 #TODO: where is the logfile??
 #TODO: is service connected?
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,4 +5,3 @@ yarn-error.log @@
     includes/config.php
     rootCA.pem
     vendor
-    .env