From 1b49db1a6f23ee1f788784a460433fb55045fd1d Mon Sep 17 00:00:00 2001 From: jkylekelly Date: Sat, 12 Oct 2024 15:29:28 -0700 Subject: [PATCH 1/2] removes arbirtary file delete --- src/agentscope/studio/_app.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/agentscope/studio/_app.py b/src/agentscope/studio/_app.py index 81ed58b61..43a85874d 100644 --- a/src/agentscope/studio/_app.py +++ b/src/agentscope/studio/_app.py @@ -743,7 +743,7 @@ def _save_workflow() -> Response: @_app.route("/delete-workflow", methods=["POST"]) def _delete_workflow() -> Response: """ - Deletes a workflow JSON file from the user folder. + Deletes a specific workflow JSON file from the user folder. """ user_login = session.get("user_login", "local_user") user_dir = os.path.join(_cache_dir, user_login) @@ -755,6 +755,9 @@ def _delete_workflow() -> Response: if not filename: return jsonify({"error": "Filename is required"}) + if not filename.endswith(".json"): + return jsonify({"error": "Only JSON files can be deleted"}) + filepath = os.path.join(user_dir, filename) if not os.path.exists(filepath): return jsonify({"error": "File not found"}) From 4f2b2c1c9b8ca3005775336867b3500298462963 Mon Sep 17 00:00:00 2001 From: jkylekelly Date: Sat, 12 Oct 2024 15:36:14 -0700 Subject: [PATCH 2/2] sanitizing with basename --- src/agentscope/studio/_app.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/agentscope/studio/_app.py b/src/agentscope/studio/_app.py index 43a85874d..8e1ba88d1 100644 --- a/src/agentscope/studio/_app.py +++ b/src/agentscope/studio/_app.py @@ -743,7 +743,7 @@ def _save_workflow() -> Response: @_app.route("/delete-workflow", methods=["POST"]) def _delete_workflow() -> Response: """ - Deletes a specific workflow JSON file from the user folder. + Deletes a workflow JSON file from the user folder. """ user_login = session.get("user_login", "local_user") user_dir = os.path.join(_cache_dir, user_login) @@ -758,6 +758,8 @@ def _delete_workflow() -> Response: if not filename.endswith(".json"): return jsonify({"error": "Only JSON files can be deleted"}) + filename = os.path.basename(filename) + filepath = os.path.join(user_dir, filename) if not os.path.exists(filepath): return jsonify({"error": "File not found"})