Verify that the symlink path requested lives under the 'rsync_basepath'

tieneupin · tieneupin · commit 4ad02364bc14 · 2025-12-09T14:08:21.000Z
diff --git a/src/murfey/server/api/file_io_frontend.py b/src/murfey/server/api/file_io_frontend.py
@@ -52,8 +52,16 @@ async def create_symlink(
     ]
     rsync_basepath = (machine_config.rsync_basepath or Path("")).resolve()
     symlink_full_path = rsync_basepath / symlink_params.symlink
+    # Verify that the symlink provided does not lead elsewhere
+    if not symlink_full_path.resolve().is_relative_to(rsync_basepath):
+        logger.warning(
+            "Symlink rejected because it will be created in a forbidden location"
+        )
+        return ""
+    # Remove and replace symlink if it exists are 'override' is set
     if symlink_full_path.is_symlink() and symlink_params.override:
         symlink_full_path.unlink()
+    # If a file/folder already exists using the desired symlink name, return empty string
     if symlink_full_path.exists():
         return ""
     symlink_full_path.symlink_to(rsync_basepath / symlink_params.target)
