feat: add path validation for model folder in ExampleImagesFileManager

2026-03-21 21:22:11 -03:00 · 2025-08-05 07:35:19 +08:00
parent 33c83358b0
commit b0c2027a1c
1 changed files with 9 additions and 1 deletions
--- a/py/utils/example_images_file_manager.py
+++ b/py/utils/example_images_file_manager.py
@@ -43,7 +43,15 @@ class ExampleImagesFileManager:
            
            # Construct folder path for this model
            model_folder = os.path.join(example_images_path, model_hash)
-            
+            model_folder = os.path.abspath(model_folder)  # Get absolute path
+
+            # Path validation: ensure model_folder is under example_images_path
+            if not model_folder.startswith(os.path.abspath(example_images_path)):
+                return web.json_response({
+                    'success': False,
+                    'error': 'Invalid model folder path'
+                }, status=400)
+
            # Check if folder exists
            if not os.path.exists(model_folder):
                return web.json_response({