[incubator-heron] branch master updated: Protect from arbitrary json file reading and writing in integration_test http_server (#3739)

Tue, 16 Nov 2021 21:57:06 -0800 

This is an automated email from the ASF dual-hosted git repository.

nicknezis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-heron.git


The following commit(s) were added to refs/heads/master by this push:
     new 6b883be  Protect from arbitrary json file reading and writing in 
integration_test http_server (#3739)
6b883be is described below

commit 6b883bec716df6c58b86a5e3f12970ab4e72c1c6
Author: Huijun Wu <[email protected]>
AuthorDate: Tue Nov 16 21:56:51 2021 -0800

    Protect from arbitrary json file reading and writing in integration_test 
http_server (#3739)
---
 integration_test/src/python/http_server/BUILD   | 1 +
 integration_test/src/python/http_server/main.py | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/integration_test/src/python/http_server/BUILD 
b/integration_test/src/python/http_server/BUILD
index 80f22be..7833e0d 100644
--- a/integration_test/src/python/http_server/BUILD
+++ b/integration_test/src/python/http_server/BUILD
@@ -8,6 +8,7 @@ pex_binary(
     main = "main.py",
     reqs = [
         "tornado==4.5.3",
+        "werkzeug==2.0.2",
     ],
     deps = [
         "//heron/common/src/python:common-py",
diff --git a/integration_test/src/python/http_server/main.py 
b/integration_test/src/python/http_server/main.py
index 95c396c..c1a57b2 100644
--- a/integration_test/src/python/http_server/main.py
+++ b/integration_test/src/python/http_server/main.py
@@ -21,6 +21,7 @@ import sys
 import tornado.ioloop
 import tornado.escape
 import tornado.web
+from werkzeug.utils import secure_filename
 
 from heron.common.src.python.utils import log
 
@@ -32,7 +33,7 @@ class MainHandler(tornado.web.RequestHandler):
 
 class FileHandler(tornado.web.RequestHandler):
   def get(self, fileName):
-    jsonFilePath = RESULTS_DIRECTORY + "/" + fileName + ".json"
+    jsonFilePath = RESULTS_DIRECTORY + "/" + secure_filename(fileName) + 
".json"
 
     if not os.path.exists(jsonFilePath):
       self.clear()
@@ -46,7 +47,7 @@ class FileHandler(tornado.web.RequestHandler):
       self.write(data)
 
   def post(self, fileName):
-    jsonFilePath = RESULTS_DIRECTORY + "/" + fileName + ".json"
+    jsonFilePath = RESULTS_DIRECTORY + "/" + secure_filename(fileName) + 
".json"
 
     #Overwrites the existing file
     with open(jsonFilePath, "w") as jsonFile:

Reply via email to