From 1bf12c3c64ddfa2e3e57038c1cac6a5f42993cf9 Mon Sep 17 00:00:00 2001
From: jamiesonpepper <jamiesonpepper@gmail.com>
Date: Fri, 13 Mar 2026 16:27:41 -0400
Subject: [PATCH] Attempt #3 RCE bug, rejecting directory traversal

---
 docker/app.py | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/docker/app.py b/docker/app.py
index 9aa5205..fb4a601 100644
--- a/docker/app.py
+++ b/docker/app.py
@@ -50,9 +50,12 @@ def upload_files():
         if file.filename == '':
             continue
         
-        # Ensure we replace Windows paths with Linux paths before secure_filename
-        # because on Linux, secure_filename does not strip backslashes by default.
-        filename = secure_filename(file.filename.replace('\\', '/'))
+        # Reject files that contain directory separators or '..'
+        normalized_filename = file.filename.replace('\\', '/')
+        if '/' in normalized_filename or '..' in normalized_filename:
+            return jsonify({'error': f'Invalid filename detected: {file.filename}'}), 400
+            
+        filename = secure_filename(file.filename)
         filepath = os.path.join(app.config['UPLOAD_FOLDER'], filename)
         file.save(filepath)
         
@@ -95,7 +98,17 @@ def inject_metadata():
     results = []
     
     for raw_filename in files_to_process:
-        filename = secure_filename(raw_filename.replace('\\', '/'))
+        normalized_filename = raw_filename.replace('\\', '/')
+        if '/' in normalized_filename or '..' in normalized_filename:
+            results.append({
+                'filename': raw_filename,
+                'error': 'Invalid filename detected',
+                'logs': ['Rejected due to unsafe filename path.'],
+                'success': False
+            })
+            continue
+
+        filename = secure_filename(raw_filename)
         input_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
         output_filename = f"injected_{filename}"
         output_path = os.path.join(app.config['UPLOAD_FOLDER'], output_filename)
@@ -130,9 +143,13 @@ def inject_metadata():
 
     return jsonify({'results': results})
 
-@app.route('/download/<filename>')
+@app.route('/download/<path:filename>')
 def download_file(filename):
-    secure_name = secure_filename(filename.replace('\\', '/'))
+    normalized_filename = filename.replace('\\', '/')
+    if '/' in normalized_filename or '..' in normalized_filename:
+        return "Invalid file path", 400
+        
+    secure_name = secure_filename(filename)
     return send_file(os.path.join(app.config['UPLOAD_FOLDER'], secure_name), as_attachment=True)
 
 if __name__ == '__main__':