fix: restrict starter code download to allowed file extensions#438
Open
atul-upadhyay-7 wants to merge 4 commits into
Open
fix: restrict starter code download to allowed file extensions#438atul-upadhyay-7 wants to merge 4 commits into
atul-upadhyay-7 wants to merge 4 commits into
Conversation
added 4 commits
May 22, 2026 08:35
…lly works The cache variable and clear_cache() were defined but never actually used by load_all_projects() — it always read from disk. This wires the cache in so repeated calls avoid redundant I/O.
…vascript 'web dev' in SKILL_ALIASES mapped to only 'javascript', which meant projects listing HTML and CSS (without JS) were completely excluded from results. This changes the alias to a list so all three core web skills get matched, and updates parse_skills() to handle list-valued aliases by extending rather than appending.
…ebreaker When multiple projects scored the same, the sort was unstable — equal-scoring projects appeared in arbitrary order that could change between runs or after JSON edits. Adding project id as a secondary sort key guarantees consistent results for identical inputs.
resolve_starter_file() only checked file existence but not the file extension, meaning any file sitting in starter_code/ could be served as a download. Added an ALLOWED_EXTENSIONS set and a check that rejects files with extensions outside the expected code formats.
|
Someone is attempting to deploy a commit to the komalsony234-1530's projects Team on Vercel. A member of the Team first needs to authorize it. |
github-actions
Bot
added
gssoc-2026
type:bug
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
resolve_starter_file()function inutils/file_server.pyhad no file extension validation — any file present in thestarter_code/directory could be served as a download, even if it wasn't a legitimate code file.Changes
Added
ALLOWED_EXTENSIONS— a set defining which file extensions are permitted:.py,.js,.html,.css,.json,.md,.txtExtension check in
resolve_starter_file()— after extracting the basename, the file extension is compared against the allowed list. Non-matching files returnNone, which causes the endpoint to return a 404.Security Impact
Previously, any file placed in
starter_code/(e.g..env,.gitignore, private keys) could be downloaded via the/project/<id>/downloadendpoint. The extension check acts as a defense-in-depth measure alongside the existingos.path.basename()path traversal protection.Verification
.py,.html,.cssfiles resolve normally.env, no-extension, and other non-code extensions returnNoneCloses #378