smartezbench: verify the report name does not contain ../

author: Martin Peres <martin.peres@linux.intel.com> 2017-06-13 10:56:04 +0300
committer: Martin Peres <martin.peres@linux.intel.com> 2017-10-04 17:48:28 +0300
commit: 04124823f9916ec615aa5aaf2c0b8d8ff315716a (patch)
tree: 2ff287257118f20ef3a749bc6d7313f6f8c8d530
parent: 49ad4179e48d3f5acf83198f66bb462e08b86a22 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/python-modules/ezbench/smartezbench.py b/python-modules/ezbench/smartezbench.py
index 86bf64c..0f99dab 100644
--- a/python-modules/ezbench/smartezbench.py
+++ b/python-modules/ezbench/smartezbench.py
@@ -217,7 +217,7 @@ class SmartEzbench:
         self.readonly = readonly
         self.ezbench_dir = ezbench_dir
         self.report_name = report_name
-        self.log_folder = ezbench_dir + '/logs/' + report_name
+        self.log_folder = os.path.abspath(ezbench_dir + '/logs/' + report_name)
         self.hook_binary_path = hook_binary_path
         self.logs_callback = logs_callback
         self.hooks_callback = hooks_callback
@@ -239,6 +239,11 @@ class SmartEzbench:
 
         self.min_criticality = Criticality.II
 
+        # Verify that the absolute path actually starts with ezbench_dir + '/logs/'
+        base_path = os.path.abspath(ezbench_dir + '/logs/')
+        if not self.log_folder.startswith(base_path):
+            raise ValueError("Invalid report name")
+
         # Create the log directory
         if not readonly and not os.path.exists(self.log_folder):
             os.makedirs(self.log_folder)
author	Martin Peres <martin.peres@linux.intel.com>	2017-06-13 10:56:04 +0300
committer	Martin Peres <martin.peres@linux.intel.com>	2017-10-04 17:48:28 +0300
commit	04124823f9916ec615aa5aaf2c0b8d8ff315716a (patch)
tree	2ff287257118f20ef3a749bc6d7313f6f8c8d530
parent	49ad4179e48d3f5acf83198f66bb462e08b86a22 (diff)