Skip to content

security: prevent path traversal in download page#2051

Open
createkr wants to merge 1 commit intoScottcjn:mainfrom
createkr:sec/issue2050-download-path-traversal
Open

security: prevent path traversal in download page#2051
createkr wants to merge 1 commit intoScottcjn:mainfrom
createkr:sec/issue2050-download-path-traversal

Conversation

@createkr
Copy link
Copy Markdown
Contributor

@createkr createkr commented Apr 4, 2026

Summary

This change hardens the standalone download page handler against path traversal and arbitrary file read attacks.

What changed

  • Rejected traversal-style request paths before file access
  • Canonicalized the resolved path with os.path.realpath()
  • Enforced that the final resolved path must remain inside DOWNLOAD_DIR before serving content

Why

The previous implementation joined attacker-controlled request paths directly with DOWNLOAD_DIR and then opened the resulting path without containment checks. Requests such as GET /../../etc/passwd could escape the intended directory and read arbitrary local files.

Scope

  • node/rustchain_download_page.py only

Closes #2050

Payout Wallet

RTC1d48d848a5aa5ecf2c5f01aa5fb64837daaf2f35

@github-actions github-actions bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related labels Apr 4, 2026
@createkr createkr mentioned this pull request Apr 4, 2026
Open
@github-actions github-actions bot added the size/S PR: 11-50 lines label Apr 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/S PR: 11-50 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: download page path traversal allows arbitrary file read

1 participant

@createkr