Sanitise symlink path and verify that it's relative to 'rsync_basepath'

tieneupin · tieneupin · commit d5120a79a105 · 2025-12-09T14:22:46.000Z
diff --git a/src/murfey/server/api/file_io_frontend.py b/src/murfey/server/api/file_io_frontend.py
@@ -14,6 +14,7 @@
     process_gain as _process_gain,
 )
 from murfey.server.murfey_db import murfey_db
+from murfey.util import secure_path
 from murfey.util.config import get_machine_config
 from murfey.util.db import Session
 
@@ -51,10 +52,22 @@ async def create_symlink(
         instrument_name
     ]
     rsync_basepath = (machine_config.rsync_basepath or Path("")).resolve()
-    symlink_full_path = rsync_basepath / symlink_params.symlink
+    symlink_full_path = secure_path(
+        rsync_basepath / symlink_params.symlink, keep_spaces=True
+    )
+    # Verify that the symlink provided does not lead elsewhere
+    if not symlink_full_path.resolve().is_relative_to(rsync_basepath):
+        logger.warning(
+            "Symlink rejected because it will be created in a forbidden location"
+        )
+        return ""
+    # Remove and replace symlink if it exists are 'override' is set
     if symlink_full_path.is_symlink() and symlink_params.override:
         symlink_full_path.unlink()
+    # If a file/folder already exists using the desired symlink name, return empty string
     if symlink_full_path.exists():
         return ""
-    symlink_full_path.symlink_to(rsync_basepath / symlink_params.target)
+    symlink_full_path.symlink_to(
+        secure_path(rsync_basepath / symlink_params.target, keep_spaces=True)
+    )
     return str(symlink_params.symlink)
