backend: Perform some path validation

author Michael Tremer <michael.tremer@ipfire.org>

Tue, 11 Feb 2025 16:39:00 +0000 (16:39 +0000)

committer Michael Tremer <michael.tremer@ipfire.org>

Tue, 11 Feb 2025 16:39:00 +0000 (16:39 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Tue, 11 Feb 2025 16:39:00 +0000 (16:39 +0000)
committer Michael Tremer <michael.tremer@ipfire.org>
Tue, 11 Feb 2025 16:39:00 +0000 (16:39 +0000)
diff --git a/src/buildservice/__init__.py b/src/buildservice/__init__.py

index bcff0b0cf30e246e3fe6811350b2851e66b3accb..3aff14deada13be937df47e25af5864ae37349a1 100644 (file)
--- a/src/buildservice/__init__.py
+++ b/src/buildservice/__init__.py
@@ -160,7 +160,17 @@ class Backend(object):
                 """
                         Takes a relative path and makes it absolute
                 """
-               return os.path.join(self.basepath, *args)
+               # Make the path
+               path = os.path.join(self.basepath, *args)
+
+               # Make the path absolute
+               path = os.path.abspath(path)
+
+               # Ensure that the path is inside the base path
+               if not path.startswith("%s/" % self.basepath):
+                       raise ValueError("Invalid path: %s" % path)
+
+               return path
  
         def relpath(self, path):
                 """
author	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 11 Feb 2025 16:39:00 +0000 (16:39 +0000)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 11 Feb 2025 16:39:00 +0000 (16:39 +0000)