Compare commits

..

1 Commits

Author SHA1 Message Date
ي
eba169e735 Potential fix for code scanning alert no. 116: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-05-25 17:35:35 +05:30
2 changed files with 24 additions and 9 deletions

View File

@@ -942,9 +942,20 @@ async def serve_product_avatar(
if current_user_id != user_id: if current_user_id != user_id:
raise HTTPException(status_code=403, detail="Access denied") raise HTTPException(status_code=403, detail="Access denied")
# Locate video file # Restrict to a filename only (no nested paths)
requested_name = Path(filename)
if requested_name.is_absolute() or requested_name.name != filename:
raise HTTPException(status_code=400, detail="Invalid filename")
# Locate and validate video file path within user's avatar directory
base_dir = Path(__file__).parent.parent.parent base_dir = Path(__file__).parent.parent.parent
video_path = base_dir / "product_avatars" / user_id / filename user_root = (base_dir / "product_avatars" / current_user_id).resolve()
video_path = (user_root / requested_name).resolve()
try:
video_path.relative_to(user_root)
except ValueError:
raise HTTPException(status_code=400, detail="Invalid filename")
if not video_path.exists(): if not video_path.exists():
raise HTTPException(status_code=404, detail="Video not found") raise HTTPException(status_code=404, detail="Video not found")
@@ -952,7 +963,7 @@ async def serve_product_avatar(
return FileResponse( return FileResponse(
path=str(video_path), path=str(video_path),
media_type="video/mp4", media_type="video/mp4",
filename=filename filename=requested_name.name
) )
except HTTPException: except HTTPException:

View File

@@ -40,25 +40,29 @@ async def serve_video_studio_video(
video_studio_videos_dir = base_dir / "video_studio_videos" video_studio_videos_dir = base_dir / "video_studio_videos"
video_path = video_studio_videos_dir / user_id / video_filename video_path = video_studio_videos_dir / user_id / video_filename
# Security: Resolve and ensure path is within video_studio_videos directory # Security: Ensure path is within video_studio_videos directory
try: try:
resolved_base = video_studio_videos_dir.resolve()
resolved_path = video_path.resolve() resolved_path = video_path.resolve()
resolved_path.relative_to(resolved_base) resolved_base = video_studio_videos_dir.resolve()
if not str(resolved_path).startswith(str(resolved_base)):
raise HTTPException(
status_code=403,
detail="Invalid video path"
)
except (OSError, ValueError) as e: except (OSError, ValueError) as e:
logger.error(f"[VideoStudio] Path resolution error: {e}") logger.error(f"[VideoStudio] Path resolution error: {e}")
raise HTTPException(status_code=403, detail="Invalid video path") raise HTTPException(status_code=403, detail="Invalid video path")
# Check if file exists # Check if file exists
if not resolved_path.exists() or not resolved_path.is_file(): if not video_path.exists() or not video_path.is_file():
raise HTTPException( raise HTTPException(
status_code=404, status_code=404,
detail=f"Video not found: {video_filename}" detail=f"Video not found: {video_filename}"
) )
logger.info(f"[VideoStudio] Serving video: {resolved_path}") logger.info(f"[VideoStudio] Serving video: {video_path}")
return FileResponse( return FileResponse(
path=str(resolved_path), path=str(video_path),
media_type="video/mp4", media_type="video/mp4",
filename=video_filename, filename=video_filename,
) )