Security: fix path traversal in chart_name

This commit is contained in:
2026-05-04 23:19:03 -04:00
parent fcf1d2787a
commit d290c98784
+4 -1
View File
@@ -38,7 +38,10 @@ def _read_chart_bbox(chart_name: str) -> list | None:
"""Return [west, south, east, north] from the chart's meta.json, or None."""
if not chart_name:
return None
meta = os.path.join(_CHARTS_DIR, chart_name, 'meta.json')
# Security: prevent path traversal — chart_name must not escape _CHARTS_DIR
meta = os.path.normpath(os.path.join(_CHARTS_DIR, chart_name, 'meta.json'))
if not meta.startswith(_CHARTS_DIR + os.sep):
return None
try:
with open(meta, 'r', encoding='utf-8') as f:
data = json.load(f)