Ensure resource look ups exist under their respective directory. Fixes #725

Author: rgthree

py/server/utils_server.py

@@ -1,6 +1,8 @@
 import os
 from aiohttp import web
 
+from ..utils import sub_abspath
+
 THIS_DIR = os.path.dirname(os.path.abspath(__file__))
 DIR_WEB = os.path.abspath(f'{THIS_DIR}/../../web/')
 
@@ -23,18 +25,25 @@ def is_param_truthy(request, param):
 
 
 def set_default_page_resources(path, routes):
-  """ Sets up routes for handling static files under a path."""
+  """Sets up routes for handling static files under a path."""
 
   @routes.get(f'/rgthree/{path}/{{file}}')
   async def get_resource(request):
-    """ Returns a resource file. """
-    return web.FileResponse(os.path.join(DIR_WEB, path, request.match_info['file']))
+    """Returns a resource file."""
+    filepath = request.match_info['file']
+    abspath = sub_abspath(os.path.join(DIR_WEB, path), filepath)
+    if abspath is None:
+      return web.HTTPNotFound()
+    return web.FileResponse(abspath)
 
   @routes.get(f'/rgthree/{path}/{{subdir}}/{{file}}')
   async def get_resource_subdir(request):
-    """ Returns a resource file. """
-    return web.FileResponse(
-      os.path.join(DIR_WEB, path, request.match_info['subdir'], request.match_info['file']))
+    """Returns a resource file."""
+    filepath = os.path.join(request.match_info['subdir'], request.match_info['file'])
+    abspath = sub_abspath(os.path.join(DIR_WEB, path), filepath)
+    if abspath is None:
+      return web.HTTPNotFound()
+    return web.FileResponse(abspath)
 
 
 def set_default_page_routes(path, routes):

py/utils.py

@@ -152,10 +152,19 @@ def remove_path(path):
 
 def abspath(file_path: str):
   """Resolves the abspath of a file, resolving symlinks and user dirs."""
-  if file_path and not path_exists(file_path):
+  abs_path = os.path.abspath(file_path) if file_path else file_path
+  if abs_path and not path_exists(abs_path):
     maybe_path = os.path.abspath(os.path.realpath(os.path.expanduser(file_path)))
-    file_path = maybe_path if path_exists(maybe_path) else file_path
-  return file_path
+    abs_path = maybe_path if path_exists(maybe_path) else abs_path
+  return abs_path
+
+def sub_abspath(parent_dir: str, rel_path: str):
+  """Resolves the abspath under a parent directory ensuring it exists and is contained within."""
+  rel_path = os.path.join(parent_dir, rel_path)
+  abs_path = abspath(rel_path)
+  if not path_exists(abs_path) or not abs_path.startswith(parent_dir):
+    return None
+  return abs_path
 
 class ByPassTypeTuple(tuple):
   """A special class that will return additional "AnyType" strings beyond defined values.

pyproject.toml

@@ -1,7 +1,7 @@
 [project]
 name = "rgthree-comfy"
 description = "Making ComfyUI more comfortable."
-version = "1.0.2604070017"
+version = "1.0.2605082257"
 license = { file = "LICENSE" }
 dependencies = []