diff --git a/openc3/lib/openc3/utilities/local_mode.rb b/openc3/lib/openc3/utilities/local_mode.rb index b0eed0118..7e463efff 100644 --- a/openc3/lib/openc3/utilities/local_mode.rb +++ b/openc3/lib/openc3/utilities/local_mode.rb @@ -380,6 +380,7 @@ def self.zip_target(target_name, zip, scope:) def self.put_target_file(path, io_or_string, scope:) full_folder_path = "#{OPENC3_LOCAL_MODE_PATH}/#{path}" + return unless File.expand_path(full_folder_path).start_with?(OPENC3_LOCAL_MODE_PATH) FileUtils.mkdir_p(File.dirname(full_folder_path)) File.open(full_folder_path, 'wb') do |file| if String === io_or_string @@ -393,7 +394,10 @@ def self.put_target_file(path, io_or_string, scope:) def self.open_local_file(path, scope:) full_path = "#{OPENC3_LOCAL_MODE_PATH}/#{scope}/targets_modified/#{path}" - return File.open(full_path, 'rb') + if File.expand_path(full_path).start_with?(OPENC3_LOCAL_MODE_PATH) + return File.open(full_path, 'rb') + end + nil rescue Errno::ENOENT nil end @@ -446,6 +450,7 @@ def self.sync_tool_config() def self.save_tool_config(scope, tool, name, data) json = JSON.parse(data, :allow_nan => true, :create_additions => true) config_path = "#{OPENC3_LOCAL_MODE_PATH}/#{scope}/tool_config/#{tool}/#{name}.json" + return unless File.expand_path(config_path).start_with?(OPENC3_LOCAL_MODE_PATH) FileUtils.mkdir_p(File.dirname(config_path)) File.open(config_path, 'w') do |file| file.write(JSON.pretty_generate(json, :allow_nan => true)) @@ -453,7 +458,9 @@ def self.save_tool_config(scope, tool, name, data) end def self.delete_tool_config(scope, tool, name) - FileUtils.rm_f("#{OPENC3_LOCAL_MODE_PATH}/#{scope}/tool_config/#{tool}/#{name}.json") + config_path = "#{OPENC3_LOCAL_MODE_PATH}/#{scope}/tool_config/#{tool}/#{name}.json" + return unless File.expand_path(config_path).start_with?(OPENC3_LOCAL_MODE_PATH) + FileUtils.rm_f(config_path) end def self.sync_settings() @@ -471,6 +478,7 @@ def self.sync_settings() def self.save_setting(scope, name, data) config_path = "#{OPENC3_LOCAL_MODE_PATH}/#{scope}/settings/#{name}.json" + return unless File.expand_path(config_path).start_with?(OPENC3_LOCAL_MODE_PATH) FileUtils.mkdir_p(File.dirname(config_path)) # Anything can be stored as a setting so write it out directly File.write(config_path, data) @@ -480,12 +488,14 @@ def self.save_setting(scope, name, data) def self.sync_remote_to_local(bucket, key) local_path = "#{OPENC3_LOCAL_MODE_PATH}/#{key}" + return unless File.expand_path(local_path).start_with?(OPENC3_LOCAL_MODE_PATH) FileUtils.mkdir_p(File.dirname(local_path)) bucket.get_object(bucket: ENV['OPENC3_CONFIG_BUCKET'], key: key, path: local_path) end def self.sync_local_to_remote(bucket, key) local_path = "#{OPENC3_LOCAL_MODE_PATH}/#{key}" + return unless File.expand_path(local_path).start_with?(OPENC3_LOCAL_MODE_PATH) File.open(local_path, 'rb') do |read_file| bucket.put_object(bucket: ENV['OPENC3_CONFIG_BUCKET'], key: key, body: read_file) end @@ -493,6 +503,7 @@ def self.sync_local_to_remote(bucket, key) def self.delete_local(key) local_path = "#{OPENC3_LOCAL_MODE_PATH}/#{key}" + return unless File.expand_path(local_path).start_with?(OPENC3_LOCAL_MODE_PATH) File.delete(local_path) if File.exist?(local_path) nil end diff --git a/openc3/python/openc3/utilities/local_mode.py b/openc3/python/openc3/utilities/local_mode.py index 569d0e8fb..9edc028b1 100644 --- a/openc3/python/openc3/utilities/local_mode.py +++ b/openc3/python/openc3/utilities/local_mode.py @@ -332,6 +332,8 @@ class LocalMode: @classmethod def put_target_file(cls, path, io_or_string, scope): full_folder_path = f"{cls.LOCAL_MODE_PATH}/{path}" + if not os.path.normpath(full_folder_path).startswith(cls.LOCAL_MODE_PATH): + return os.makedirs(os.path.dirname(full_folder_path), exist_ok=True) flags = "w" if isinstance(io_or_string, bytes): @@ -347,7 +349,9 @@ def put_target_file(cls, path, io_or_string, scope): def open_local_file(cls, path, scope): try: full_path = f"{cls.LOCAL_MODE_PATH}/{scope}/targets_modified/{path}" - return open(full_path, "rb") + if os.path.normpath(full_path).startswith(cls.LOCAL_MODE_PATH): + return open(full_path, "rb") + return None except OSError: return None