Fix parent root escape (#98)

langchain-ai · Oct 25, 2023 · b629689 · b629689
1 parent 135c0c3
commit b629689
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/langserve/playground.py b/langserve/playground.py
@@ -24,11 +24,21 @@ async def serve_playground(
     base_url: str,
     file_path: str,
 ) -> Response:
-    local_file_path = os.path.join(
-        os.path.dirname(__file__),
-        "./playground/dist",
-        file_path or "index.html",
+    local_file_path = os.path.abspath(
+        os.path.join(
+            os.path.dirname(__file__),
+            "./playground/dist",
+            file_path or "index.html",
+        )
     )
+
+    base_dir = os.path.abspath(
+        os.path.join(os.path.dirname(__file__), "./playground/dist")
+    )
+
+    if base_dir != os.path.commonpath((base_dir, local_file_path)):
+        return Response("Not Found", status_code=404)
+
     with open(local_file_path) as f:
         mime_type = mimetypes.guess_type(local_file_path)[0]
         if mime_type in ("text/html", "text/css", "application/javascript"):