rusackas commented on code in PR #40664:
URL: https://github.com/apache/superset/pull/40664#discussion_r3338305903
##########
superset/extensions/utils.py:
##########
@@ -36,7 +36,9 @@
logger = logging.getLogger(__name__)
FRONTEND_REGEX = re.compile(r"^frontend/dist/([^/]+)$")
-BACKEND_REGEX = re.compile(r"^backend/src/(.+)$")
+# Reject parent ("..") path components so a crafted entry name cannot produce
+# a traversal-style module path (defense in depth; check_is_safe_zip runs
first).
+BACKEND_REGEX = re.compile(r"^backend/src/(?!.*\.\.)(.+)$")
Review Comment:
The concern about blocking filenames containing literal (like ) is noted,
but in practice extension module paths () are Python-importable names — those
never embed consecutive dots. The defense-in-depth comment already calls out
that runs first; the regex is a secondary guard for path-component traversal
only. Also, bito's proposed replacement () would incorrectly *allow* entries
like , which is another form of leading-dot traversal. The current pattern is
intentionally conservative; will leave as-is.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
