Skip to content

fix(app): path traversal via bulk downloads paths #8548

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 10, 2025
Merged

fix(app): path traversal via bulk downloads paths #8548

merged 1 commit into from
Sep 10, 2025

Conversation

psychedelicious
Copy link
Collaborator

Summary

Fix an issue where the bulk image download route could allow directory traversal on Windows.

When getting a bulk download item and validate the path, we do two new checks:

  • New check: The file that will be retrieved by the route is in the bulk downloads temp dir (i.e. its parent dir is exactly the bulk downloads temp dir)
  • New check: The file name ends in .zip
  • Existing check: The file exists

Related Issues / Discussions

n/a

QA Instructions

  • Create a file in some directory outside the Invoke install and write something to it, e.g. C:\Temp\foo.txt with content "bar"
  • Go to the API docs http://localhost:9090/docs#/images/get_bulk_download_item
  • Provide a relative path as the item name, e.g. ..\..\..\foo.txt (the relative path will differ depending on your system)

On main, you'll get the file back. On this PR, you'll get a 404 not found.

Merge Plan

n/a

Checklist

  • The PR has a short but descriptive title, suitable for a changelog
  • Tests added / updated (if applicable)
  • ❗Changes to a redux slice have a corresponding migration
  • Documentation added / updated (if applicable)
  • Updated What's New copy (if doing a release after this PR)

@github-actions github-actions bot added python PRs that change python files services PRs that change app services labels Sep 9, 2025
@psychedelicious psychedelicious enabled auto-merge (rebase) September 10, 2025 01:13
@psychedelicious psychedelicious force-pushed the psyche/fix/app/bulk-downloads-traversal branch from 47ef57a to eff565a Compare September 10, 2025 01:13
@psychedelicious psychedelicious merged commit efcd159 into main Sep 10, 2025
13 checks passed
@psychedelicious psychedelicious deleted the psyche/fix/app/bulk-downloads-traversal branch September 10, 2025 01:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hipsterusername hipsterusername hipsterusername approved these changes

@blessedcoolant blessedcoolant Awaiting requested review from blessedcoolant blessedcoolant is a code owner

Assignees
No one assigned
Labels
python PRs that change python files services PRs that change app services
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@psychedelicious @hipsterusername