jyapayne/langflow
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

fix uncontrolled data used in path expression from /custom_component (#1926)

Browse source
This commit is contained in:
Nicolò Boschi 2024-05-23 12:37:28 +02:00 committed by GitHub
commit 349443c4cc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/backend/base/langflow/api/utils.py
View file

@ -1,3 +1,4 @@
import os
import warnings
from pathlib import Path
from typing import TYPE_CHECKING, Optional
@ -140,7 +141,10 @@ def get_file_path_value(file_path):
# If the path is not in the cache dir, return empty string
# This is to prevent access to files outside the cache dir
# If the path is not a file, return empty string
if not path.exists() or not str(path).startswith(user_cache_dir("langflow", "langflow")):
if not str(path).startswith(user_cache_dir("langflow", "langflow")):
return ""
if not path.exists():
return ""
return file_path