@@ -234,6 +234,13 @@ def handle_retrieval_request(self, request: RetrievalRequest) -> RetrievalRespon
234234RETRIEVAL_FILE_PATH = os .getenv ("RETRIEVAL_FILE_PATH" , default = "./retrieval_docs" )+ '/'
235235EXCEPT_PATTERNS = ["/xuhui_doc" , "default/persist_dir" ]
236236
237+ def safe_join (base_path , * paths ):
238+ # Prevent path traversal by ensuring the final path is within the base path
239+ base_path = os .path .abspath (base_path )
240+ final_path = os .path .abspath (os .path .join (base_path , * paths ))
241+ if not final_path .startswith (base_path ):
242+ raise ValueError ("Attempted Path Traversal Detected" )
243+ return final_path
237244
238245@router .post ("/v1/askdoc/upload_link" )
239246async def retrieval_upload_link (request : Request ):
@@ -316,7 +323,7 @@ async def retrieval_add_files(request: Request,
316323 path_prefix = get_path_prefix (kb_id , user_id )
317324 upload_path = path_prefix + '/upload_dir'
318325 persist_path = path_prefix + '/persist_dir'
319- save_path = Path (upload_path ) / file_path
326+ save_path = safe_join ( Path (upload_path ), file_path )
320327 save_path .parent .mkdir (parents = True , exist_ok = True )
321328
322329 # save file content to local disk
@@ -618,7 +625,7 @@ async def delete_single_file(request: Request):
618625 logger .info (f"[askdoc - delete_file] successfully delete kb { knowledge_base_id } )
619626 return {"status" : True }
620627
621- delete_path = Path (path_prefix ) / "upload_dir" / del_path
628+ delete_path = safe_join ( Path (path_prefix ) / "upload_dir" , del_path )
622629 logger .info (f'[askdoc - delete_file] delete_path: { delete_path } )
623630
624631 # partially delete files/folders from the kb
![pre-commit-ci[bot]](https://avatars.githubusercontent.com/in/68672?v=4&size=40){kind=avatar}
0 commit comments