feat: Add login page with dynamic RGB effects and password toggle functionality

feat: Implement package management utilities with JSON endpoints for listing and uninstalling packages feat: Create plugin management utilities with endpoints for listing, configuring, and installing plugins feat: Develop schedule and trigger management utilities with CRUD operations for schedules and triggers
2026-03-19 10:10:24 +00:00 · 2026-03-19 00:40:04 +01:00
parent 3fa4d5742a
commit b0584a1a8e
176 changed files with 7795 additions and 1781 deletions
--- a/web_utils/attack_utils.py
+++ b/web_utils/attack_utils.py
@@ -1,8 +1,4 @@
-# web_utils/attack_utils.py
-"""
-Attack and action management utilities.
-Handles attack listing, import/export, and action metadata management.
-"""
+"""attack_utils.py - Attack listing, import/export, and action metadata management."""
 from __future__ import annotations
 import json
 import os
@@ -322,12 +318,14 @@ class AttackUtils:
        try:
            rel = handler.path[len('/actions_icons/'):]
            rel = os.path.normpath(rel).replace("\\", "/")
-            if rel.startswith("../"):
+
+            # Robust path traversal prevention: resolve to absolute and verify containment
+            image_path = os.path.realpath(os.path.join(self.shared_data.actions_icons_dir, rel))
+            base_dir = os.path.realpath(self.shared_data.actions_icons_dir)
+            if not image_path.startswith(base_dir + os.sep) and image_path != base_dir:
                handler.send_error(400, "Invalid path")
                return

-            image_path = os.path.join(self.shared_data.actions_icons_dir, rel)
-
            if not os.path.exists(image_path):
                handler.send_error(404, "Image not found")
                return