fix: fix security issue

cmsax · cmsax · commit ea0e60e4515e · 2020-05-20T22:17:38.000+08:00
diff --git a/yigesamo/server.py b/yigesamo/server.py
@@ -69,7 +69,12 @@ def make_file_response(cls, text_content):
 
     @classmethod
     def get_file_response(cls, q):
-        if not os.path.exists(q):
+        # prevent internal file
+        if any(
+            '/' in q,
+            not q.endswith('ris'),
+            not os.path.exists(q)
+        ):
             return HTTPException(404, 'file not found')
 
         return FileResponse(
