Prevent arbitrary file read via path traversal

lukicdarkoo · lukicdarkoo · commit 2226b84cc11e · 2025-12-08T11:48:45.000+01:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "teleop"
-version = "0.1.3"
+version = "0.1.4"
 description = "Turns your phone into a robot arm teleoperation device by leveraging the WebXR API"
 readme = { file = "README.md", content-type = "text/markdown" }
 license = { file = "LICENSE" }
@@ -31,4 +31,4 @@ utils = ["pin"]
 include = ["teleop*"]
 
 [tool.setuptools.package-data]
-teleop = ["cert.pem", "key.pem", "index.html", "teleop-ui.js", "utils/lite6.urdf"]
+teleop = ["cert.pem", "key.pem", "index.html", "assets/*", "utils/lite6.urdf"]
diff --git a/teleop/__init__.py b/teleop/__init__.py
@@ -6,6 +6,7 @@
 import uvicorn
 from fastapi import FastAPI, WebSocket, WebSocketDisconnect
 from fastapi.responses import FileResponse
+from fastapi.staticfiles import StaticFiles
 import transforms3d as t3d
 import numpy as np
 import json
@@ -278,19 +279,15 @@ def __update(self, message):
         self.__notify_subscribers(self.__pose, message)
 
     def __setup_routes(self):
+        # Mount static files directory
+        assets_dir = os.path.join(THIS_DIR, "assets")
+        self.__app.mount("/assets", StaticFiles(directory=assets_dir), name="assets")
+
         @self.__app.get("/")
         async def index():
             self.__logger.debug("Serving the index.html file")
             return FileResponse(os.path.join(THIS_DIR, "index.html"))
 
-        @self.__app.get("/{filename:path}")
-        async def serve_file(filename: str):
-            self.__logger.debug(f"Serving the {filename} file")
-            file_path = os.path.join(THIS_DIR, filename)
-            if os.path.exists(file_path):
-                return FileResponse(file_path)
-            return {"error": "File not found"}
-
         @self.__app.websocket("/ws")
         async def websocket_endpoint(websocket: WebSocket):
             await self.__manager.connect(websocket)
diff --git a/teleop/assets/teleop-ui.js b/teleop/assets/teleop-ui.js
diff --git a/teleop/index.html b/teleop/index.html
@@ -5,7 +5,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Teleop</title>
-    <script src="teleop-ui.js"></script>
+    <script src="/assets/teleop-ui.js"></script>
 
     <style>
         * {
diff --git a/teleop/test-teleop-ui.html b/teleop/test-teleop-ui.html
@@ -5,7 +5,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Teleop</title>
-    <script src="teleop-ui.js"></script>
+    <script src="/assets/teleop-ui.js"></script>
     <style>
         * {
             margin: 0;
