From d290c9878473baf1f54d9a6569b7b95f08a98dad Mon Sep 17 00:00:00 2001 From: aerom Date: Mon, 4 May 2026 23:19:03 -0400 Subject: [PATCH] Security: fix path traversal in chart_name --- backend/routers/org.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/backend/routers/org.py b/backend/routers/org.py index dd4c0d1..2911f53 100644 --- a/backend/routers/org.py +++ b/backend/routers/org.py @@ -38,7 +38,10 @@ def _read_chart_bbox(chart_name: str) -> list | None: """Return [west, south, east, north] from the chart's meta.json, or None.""" if not chart_name: return None - meta = os.path.join(_CHARTS_DIR, chart_name, 'meta.json') + # Security: prevent path traversal — chart_name must not escape _CHARTS_DIR + meta = os.path.normpath(os.path.join(_CHARTS_DIR, chart_name, 'meta.json')) + if not meta.startswith(_CHARTS_DIR + os.sep): + return None try: with open(meta, 'r', encoding='utf-8') as f: data = json.load(f)