Preventing External File References Using Relative Paths in Image Tags

[jp-96]

Objective: Restrict the replacement of picture files to those located within a subfolder of media_path.

# src/python_odt_template/jinja.py

def get_odt_renderer(media_path: str | Path, env: Environment = environment) -> ODTRenderer:
    media_path = Path(media_path)

    def image_filter(value):
        file_path = media_path.joinpath(value).resolve()
        file_path.relative_to(media_path)   # validate subpath
        return file_path

In this function, image_filter, the file_path is constructed by joining media_path with the provided value. The file_path is then resolved to an absolute path. To ensure that the file_path is a valid subpath of media_path, relative_to method is used for validation. If the file_path is not within a subfolder of media_path, an exception will be raised.

src/python_odt_template/django.py also similarly

[Tobi-De]

hi @jp-96
The point is to validate that file exists ?

[jp-96]

No, to avoid file references to anything other than media_path.

Because, using relative paths, a media_path for user A, which is easy to guess, will cause user X to refer to user A's picture file.

If the media_path for user A is /myapplication/usera/media and the media_path for user X is /myapplication/userx/media, user X will refer to the relative path . /... /usera/media/secret.png could be used to refer to user A's file.