Security: prevent path traversal in storage paths

2026-01-14 21:54:22 -06:00 · 2026-01-11 11:55:52 -08:00
parent eca2ba3657
commit 7c457466b7
3 changed files with 62 additions and 3 deletions
--- a/src/documents/templating/filepath.py
+++ b/src/documents/templating/filepath.py
@@ -262,6 +262,17 @@ def get_custom_fields_context(
    return field_data


+def _is_safe_relative_path(value: str) -> bool:
+    if value == "":
+        return True
+
+    path = PurePath(value)
+    if path.is_absolute() or path.drive:
+        return False
+
+    return ".." not in path.parts
+
+
 def validate_filepath_template_and_render(
    template_string: str,
    document: Document | None = None,
@@ -309,6 +320,12 @@ def validate_filepath_template_and_render(
        )
        rendered_template = template.render(context)

+        if not _is_safe_relative_path(rendered_template):
+            logger.warning(
+                "Template rendered an unsafe path (absolute or containing traversal).",
+            )
+            return None
+
        # We're good!
        return rendered_template
    except UndefinedError: