File tree Expand file tree Collapse file tree 1 file changed +4
-5
lines changed Expand file tree Collapse file tree 1 file changed +4
-5
lines changed Original file line number Diff line number Diff line change @@ -80,14 +80,13 @@ async def serve_app(full_path: str):
8080 try :
8181 candidate = (BUILD_DIR_PATH / full_path ).resolve ()
8282
83- # Ensure resolved path is within BUILD_DIR
84- if not str (candidate ).startswith (str (BUILD_DIR_PATH )):
85- raise HTTPException (status_code = 404 )
86-
87- # Compute relative parts and block dotfiles anywhere in path
83+ # Compute relative parts and block dotfiles anywhere in path.
84+ # Use Path.relative_to() as the canonical containment check; it
85+ # raises an exception if `candidate` is outside `BUILD_DIR_PATH`.
8886 try :
8987 rel_parts = candidate .relative_to (BUILD_DIR_PATH ).parts
9088 except Exception :
89+ # Not contained -> possible traversal attempt
9190 raise HTTPException (status_code = 404 )
9291
9392 if any (part .startswith ('.' ) for part in rel_parts ):
You can’t perform that action at this time.
0 commit comments