Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-12-18 00:05:12 -05:00
Code Issues Packages Projects Releases Wiki Activity

security: restrict backup file upload (#1522)

Browse Source
This commit is contained in:
Hayden
2022-08-02 12:53:58 -08:00
committed by GitHub
parent 6649ccf224
commit 11478134a1
2 changed files with 38 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
mealie/routes/admin/admin_backups.py
View File

@@ -72,13 +72,24 @@ class AdminBackupController(BaseAdminController):
@router.post("/upload", response_model=SuccessResponse)
def upload_one(self, archive: UploadFile = File(...)):
"""Upload a .zip File to later be imported into Mealie"""
if "." not in archive.filename:
raise HTTPException(status.HTTP_400_BAD_REQUEST)
if archive.filename.split(".")[-1] != "zip":
raise HTTPException(status.HTTP_400_BAD_REQUEST)
name = Path(archive.filename).stem
app_dirs = get_app_dirs()
dest = app_dirs.BACKUP_DIR.joinpath(archive.filename)
dest = app_dirs.BACKUP_DIR.joinpath(f"{name}.zip")
if dest.absolute().parent != app_dirs.BACKUP_DIR:
raise HTTPException(status.HTTP_400_BAD_REQUEST)
with dest.open("wb") as buffer:
shutil.copyfileobj(archive.file, buffer)
if not dest.is_file:
if not dest.is_file():
raise HTTPException(status.HTTP_400_BAD_REQUEST)
@router.post("/{file_name}/restore", response_model=SuccessResponse)