Commit 6191fe4a authored by Laurent Peuch's avatar Laurent Peuch
Browse files

[debug-toolbar/display_source_code/security] add security mechanism to only read whitelisted files

Closes #17256791
parent a2b8c201727f
......@@ -33,6 +33,8 @@ from cubicweb.misc.source_highlight import highlight_html, generate_css, has_pyg
DEBUG_DISPLAY_SOURCE_CODE_PATH = '_debug_display_source_code'
FILES_WHITE_LIST = set()
def source_code_url(object_or_class):
if object_or_class is None:
......@@ -47,6 +49,8 @@ def source_code_url(object_or_class):
logging.debug("Error while trying to source code of '%s'" % object_or_class)
return ""
FILES_WHITE_LIST.add(file_path)
try:
source_code, line = inspect.getsourcelines(object_or_class)
except OSError: # when we couldn't read the source code/line
......@@ -81,6 +85,10 @@ def debug_display_source_code(request):
if not os.path.exists(source_code_file):
return Response("Error: file '%s' doesn't exist on the filesystem." % source_code_file)
# security
if source_code_file not in FILES_WHITE_LIST:
return Response("Error: access to file is not authorized")
try:
content = open(source_code_file, "r").read()
except Exception as e:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment