[NeuralChat] Refine path in AskDoc server (#1593)

* Update askdoc.yaml Signed-off-by: Liangyx2 <[email protected]> * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Signed-off-by: Liangyx2 <[email protected]> Co-authored-by: Sun, Xuehao <[email protected]> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
intel · Jun 14, 2024 · 127692d · 127692d
1 parent 8ab25cf
commit 127692d
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/intel_extension_for_transformers/neural_chat/server/restful/retrieval_api.py b/intel_extension_for_transformers/neural_chat/server/restful/retrieval_api.py
@@ -234,6 +234,13 @@ def handle_retrieval_request(self, request: RetrievalRequest) -> RetrievalRespon
 RETRIEVAL_FILE_PATH = os.getenv("RETRIEVAL_FILE_PATH", default="./retrieval_docs")+'/'
 EXCEPT_PATTERNS = ["/xuhui_doc", "default/persist_dir"]
 
+def safe_join(base_path, *paths):
+    # Prevent path traversal by ensuring the final path is within the base path
+    base_path = os.path.abspath(base_path)
+    final_path = os.path.abspath(os.path.join(base_path, *paths))
+    if not final_path.startswith(base_path):
+        raise ValueError("Attempted Path Traversal Detected")
+    return final_path
 
 @router.post("/v1/askdoc/upload_link")
 async def retrieval_upload_link(request: Request):
@@ -316,7 +323,7 @@ async def retrieval_add_files(request: Request,
         path_prefix = get_path_prefix(kb_id, user_id)
         upload_path = path_prefix + '/upload_dir'
         persist_path = path_prefix + '/persist_dir'
-        save_path = Path(upload_path) / file_path
+        save_path = safe_join(Path(upload_path), file_path)
         save_path.parent.mkdir(parents=True, exist_ok=True)
 
         # save file content to local disk
@@ -618,7 +625,7 @@ async def delete_single_file(request: Request):
         logger.info(f"[askdoc - delete_file] successfully delete kb {knowledge_base_id}")
         return {"status": True}
 
-    delete_path = Path(path_prefix) / "upload_dir" / del_path
+    delete_path = safe_join(Path(path_prefix) / "upload_dir", del_path)
     logger.info(f'[askdoc - delete_file] delete_path: {delete_path}')
 
     # partially delete files/folders from the kb