diff --git a/backend/routers/org.py b/backend/routers/org.py index dd4c0d1..2911f53 100644 --- a/backend/routers/org.py +++ b/backend/routers/org.py @@ -38,7 +38,10 @@ def _read_chart_bbox(chart_name: str) -> list | None: """Return [west, south, east, north] from the chart's meta.json, or None.""" if not chart_name: return None - meta = os.path.join(_CHARTS_DIR, chart_name, 'meta.json') + # Security: prevent path traversal — chart_name must not escape _CHARTS_DIR + meta = os.path.normpath(os.path.join(_CHARTS_DIR, chart_name, 'meta.json')) + if not meta.startswith(_CHARTS_DIR + os.sep): + return None try: with open(meta, 'r', encoding='utf-8') as f: data = json.load(f)