gmakstutis/LightRAG
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix linting

Browse source
This commit is contained in:
yangdx 2025-06-27 02:33:20 +08:00
parent 60777d535b
commit a506753548
1 changed files with 17 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
lightrag/api/routers/document_routes.py
View file

@ -65,35 +65,37 @@ temp_prefix = "__tmp__"
def sanitize_filename(filename: str, input_dir: Path) -> str: def sanitize_filename(filename: str, input_dir: Path) -> str:
""" """
Sanitize uploaded filename to prevent Path Traversal attacks. Sanitize uploaded filename to prevent Path Traversal attacks.
Args: Args:
filename: The original filename from the upload filename: The original filename from the upload
input_dir: The target input directory input_dir: The target input directory
Returns: Returns:
str: Sanitized filename that is safe to use str: Sanitized filename that is safe to use
Raises: Raises:
HTTPException: If the filename is unsafe or invalid HTTPException: If the filename is unsafe or invalid
""" """
# Basic validation # Basic validation
if not filename or not filename.strip(): if not filename or not filename.strip():
raise HTTPException(status_code=400, detail="Filename cannot be empty") raise HTTPException(status_code=400, detail="Filename cannot be empty")
# Remove path separators and traversal sequences # Remove path separators and traversal sequences
clean_name = filename.replace('/', '').replace('\\', '') clean_name = filename.replace("/", "").replace("\\", "")
clean_name = clean_name.replace('..', '') clean_name = clean_name.replace("..", "")
# Remove control characters and null bytes # Remove control characters and null bytes
clean_name = ''.join(c for c in clean_name if ord(c) >= 32 and c != '\x7f') clean_name = "".join(c for c in clean_name if ord(c) >= 32 and c != "\x7f")
# Remove leading/trailing whitespace and dots # Remove leading/trailing whitespace and dots
clean_name = clean_name.strip().strip('.') clean_name = clean_name.strip().strip(".")
# Check if anything is left after sanitization # Check if anything is left after sanitization
if not clean_name: if not clean_name:
raise HTTPException(status_code=400, detail="Invalid filename after sanitization") raise HTTPException(
status_code=400, detail="Invalid filename after sanitization"
)
# Verify the final path stays within the input directory # Verify the final path stays within the input directory
try: try:
final_path = (input_dir / clean_name).resolve() final_path = (input_dir / clean_name).resolve()
@ -101,7 +103,7 @@ def sanitize_filename(filename: str, input_dir: Path) -> str:
raise HTTPException(status_code=400, detail="Unsafe filename detected") raise HTTPException(status_code=400, detail="Unsafe filename detected")
except (OSError, ValueError): except (OSError, ValueError):
raise HTTPException(status_code=400, detail="Invalid filename") raise HTTPException(status_code=400, detail="Invalid filename")
return clean_name return clean_name
@ -1031,7 +1033,7 @@ def create_document_routes(
try: try:
# Sanitize filename to prevent Path Traversal attacks # Sanitize filename to prevent Path Traversal attacks
safe_filename = sanitize_filename(file.filename, doc_manager.input_dir) safe_filename = sanitize_filename(file.filename, doc_manager.input_dir)
if not doc_manager.is_supported_file(safe_filename): if not doc_manager.is_supported_file(safe_filename):
raise HTTPException( raise HTTPException(
status_code=400, status_code=400,