OpenWebUI/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui synced 2025-06-26 18:26:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refac/security: pipelines upload path traversal

Browse Source
This commit is contained in:
Timothy Jaeryang Baek 2025-05-14 15:15:05 +04:00
parent d89e37cc7c
commit a9c22bffc9
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
backend/open_webui/routers/pipelines.py
View File

@ -197,8 +197,10 @@ async def upload_pipeline(
user=Depends(get_admin_user), user=Depends(get_admin_user),
): ):
log.info(f"upload_pipeline: urlIdx={urlIdx}, filename={file.filename}") log.info(f"upload_pipeline: urlIdx={urlIdx}, filename={file.filename}")
filename = os.path.basename(file.filename)
# Check if the uploaded file is a python file # Check if the uploaded file is a python file
if not (file.filename and file.filename.endswith(".py")): if not (filename and filename.endswith(".py")):
raise HTTPException( raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST, status_code=status.HTTP_400_BAD_REQUEST,
detail="Only Python (.py) files are allowed.", detail="Only Python (.py) files are allowed.",
@ -206,7 +208,7 @@ async def upload_pipeline(
upload_folder = f"{CACHE_DIR}/pipelines" upload_folder = f"{CACHE_DIR}/pipelines"
os.makedirs(upload_folder, exist_ok=True) os.makedirs(upload_folder, exist_ok=True)
file_path = os.path.join(upload_folder, file.filename) file_path = os.path.join(upload_folder, filename)
r = None r = None
try: try: