llabeyrie/Juicepyter
1
0
Fork 0
Code Issues 14 Pull Requests Activity

Unsafe path traversal in app.py image extraction #15

New Issue
Open
opened 2026-03-19 17:31:11 +00:00 by llabeyrie · 0 comments
llabeyrie commented 2026-03-19 17:31:11 +00:00
Owner
Copy Link

Description

In app.py lines 24-28, the _extract_image_from_stdout() function resolves paths from pipeline stdout without validating they stay within the project directory:

candidate = Path(text)
if not candidate.is_absolute():
    candidate = APP_DIR / candidate   # line 25

if candidate.suffix.lower() in IMAGE_EXTENSIONS and candidate.exists():
    return candidate                  # returned without validation!

Problem

If the pipeline stdout contains a line like ../../etc/passwd.png, the path resolves outside APP_DIR. While exploitation requires control of stdout, the defense-in-depth principle applies — especially since stdout is a mix of debug prints and real output (issue #3).

Fix

candidate = (APP_DIR / candidate).resolve()
if not str(candidate).startswith(str(APP_DIR.resolve())):
    continue  # skip paths outside project directory
## Description In `app.py` lines 24-28, the `_extract_image_from_stdout()` function resolves paths from pipeline stdout without validating they stay within the project directory: ```python candidate = Path(text) if not candidate.is_absolute(): candidate = APP_DIR / candidate # line 25 if candidate.suffix.lower() in IMAGE_EXTENSIONS and candidate.exists(): return candidate # returned without validation! ``` ### Problem If the pipeline stdout contains a line like `../../etc/passwd.png`, the path resolves outside `APP_DIR`. While exploitation requires control of stdout, the defense-in-depth principle applies — especially since stdout is a mix of debug prints and real output (issue #3). ### Fix ```python candidate = (APP_DIR / candidate).resolve() if not str(candidate).startswith(str(APP_DIR.resolve())): continue # skip paths outside project directory ```
llabeyrie added the bugpriority: low labels 2026-03-19 17:31:50 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Potential bugs and logic errors
 code-quality
Code quality, duplication, inconsistent patterns
 dependencies
Dependency management issues
 documentation
Documentation improvements
 performance
Performance and efficiency improvements
 priority: critical
Must fix — blocks core functionality
 priority: high
Important — affects reliability or security
 priority: low
Nice to have — polish and optimization
 priority: medium
Should fix — improves quality and maintainability
 structure
Project structure and organization
 testing
Missing or insufficient tests
 tooling
Tooling, CI/CD, developer experience
No Label bug priority: low
Milestone
No items
No Milestone
Assignees
Clear assignees
llabeyrie
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: llabeyrie/Juicepyter#15
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?