Merge pull request #75 from SirTeggun/patch-1

Update cli.py
CybercentreCanada · Dec 30, 2024 · 0c8da7c · 0c8da7c
2 parents ec011b3 + c51c5ec
commit 0c8da7c
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/maco/cli.py b/maco/cli.py
@@ -123,10 +123,15 @@ def process_filesystem(
         logger.error(f"not file or folder: {path_samples}")
         exit(2)
     try:
-        for path, dirs, files in walker:
+        base_directory = os.path.abspath(path_samples)
+        for path, _, files in walker:
             for file in files:
                 num_analysed += 1
-                path_file = os.path.join(path, file)
+                path_file = os.path.abspath(os.path.join(path, file))
+                if not path_file.startswith(base_directory):
+                    logger.error(f"Attempted path traversal detected: {path_file}")
+                    continue
+
                 try:
                     with open(path_file, "rb") as stream:
                         resp = process_file(