From 1aedc4f9dfbff4374f83e77b1fd3822cdf3051f1 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 26 May 2026 05:51:41 -0700 Subject: [PATCH] fix(security): path traversal in file cleanup command In `accounts/management/commands/clean_old_tmp_upload_files.py`, the code concatenates `settings.FILE_UPLOAD_TEMP_DIR` with `f` using simple string concatenation (`settings.FILE_UPLOAD_TEMP_DIR + f`). If `settings.FILE_UPLOAD_TEMP_DIR` does not end with a path separator, or if an attacker can influence the directory contents, this could lead to path traversal. More critically, the code iterates over all files in the directory and deletes them without proper validation, which could be exploited if the directory is not properly secured. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- .../management/commands/clean_old_tmp_upload_files.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/accounts/management/commands/clean_old_tmp_upload_files.py b/accounts/management/commands/clean_old_tmp_upload_files.py index 5fe4e347b..57811a0fb 100644 --- a/accounts/management/commands/clean_old_tmp_upload_files.py +++ b/accounts/management/commands/clean_old_tmp_upload_files.py @@ -32,10 +32,15 @@ class Command(BaseCommand): def handle(self, *args, **options): for f in os.listdir(settings.FILE_UPLOAD_TEMP_DIR): + file_path = os.path.join(settings.FILE_UPLOAD_TEMP_DIR, f) + file_path = os.path.realpath(file_path) + temp_dir = os.path.realpath(settings.FILE_UPLOAD_TEMP_DIR) + if not file_path.startswith(temp_dir + os.sep): + continue f_mod_date = datetime.datetime.fromtimestamp( - os.path.getmtime(settings.FILE_UPLOAD_TEMP_DIR + f), tz=datetime.timezone.utc + os.path.getmtime(file_path), tz=datetime.timezone.utc ) now = timezone.now() if (now - f_mod_date).total_seconds() > 3600 * 24: print(f"Deleting {f}") - os.remove(settings.FILE_UPLOAD_TEMP_DIR + f) + os.remove(file_path) \ No newline at end of file