Skip to content

(Security) Fixes #1202 bug risk of leaking the scan result files #1301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yogeshojha merged 2 commits into from
Jul 5, 2024
Merged

(Security) Fixes #1202 bug risk of leaking the scan result files #1301

yogeshojha merged 2 commits into from
Jul 5, 2024

Conversation

@yogeshojha
Copy link
Owner

@yogeshojha yogeshojha commented Jul 4, 2024

Fixes a security issue in nginx that allowed media directives to be accessed by non auth users.

Used X-Accel-Redirect as suggested by @0xtejas . Thank you 🥳

Reported by @confd0

@yogeshojha yogeshojha linked an issue Jul 4, 2024 that may be closed by this pull request
bug: Risk of leaking the scan result files #1202
Closed
1 task
@github-actions
Copy link
Contributor

github-actions bot commented Jul 4, 2024

👋 Hi @yogeshojha,
Thank you for sending this pull request.
Please make sure you have followed our contribution guidelines.
We will review this PR as soon as possible. Thank you for your patience.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 4, 2024
View reviewed changes
web/reNgine/views.py
@login_required
def serve_protected_media(request, path):
file_path = os.path.join(settings.MEDIA_ROOT, path)
if os.path.isdir(file_path):

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
web/reNgine/views.py
file_path = os.path.join(settings.MEDIA_ROOT, path)
if os.path.isdir(file_path):
raise Http404("File not found")
if os.path.exists(file_path):

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
@yogeshojha yogeshojha self-assigned this Jul 4, 2024
@yogeshojha yogeshojha merged commit ca8389b into master Jul 5, 2024
@yogeshojha yogeshojha deleted the 1202-bug-risk-of-leaking-the-scan-result-files branch July 19, 2024 05:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@yogeshojha yogeshojha

Labels

release/2.1.1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Risk of leaking the scan result files

2 participants

@yogeshojha