web-ui icon indicating copy to clipboard operation
web-ui copied to clipboard

Published 20 hours ago verified publisher icon browser-use

Fix uncontrolled data used in path expression

Open odaysec opened this issue 6 months ago • 1 comments

https://github.com/browser-use/web-ui/blob/886ba8f5354dca96a544ed7b7072fb41e4dcf850/src/agent/deep_research/deep_research_agent.py#L1115-L1115

https://github.com/browser-use/web-ui/blob/886ba8f5354dca96a544ed7b7072fb41e4dcf850/src/agent/deep_research/deep_research_agent.py#L1115-L1115

Fix the issue need to validate the save_dir parameter before using it to construct file paths. The best approach is to ensure that the constructed path is contained within a safe root directory. This can be achieved by normalizing the path using os.path.normpath and verifying that it starts with the intended root directory.

Steps to implement the fix:

  1. Introduce a safe_root_dir variable to define the root directory where files can be saved.
  2. Normalize the save_dir parameter using os.path.normpath.
  3. Check that the normalized save_dir starts with safe_root_dir. If it does not, raise an exception or log an error and use a default safe directory instead.
  • Bug Fixes
  • Normalizes and validates save directory paths in both backend and web UI.
  • Logs a warning and defaults to a safe directory if an unsafe path is detected.

werkzeug.utils.secure_filename

odaysec avatar May 29 '25 11:05 odaysec

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar May 29 '25 11:05 CLAassistant

Hi @warmshao @gregpr07, thank you for your response and for approving the patch. I was wondering if there are any updates regarding algora.io/odaysec, or if you might be open to supporting my work through GitHub Sponsors. I would truly appreciate it!

odaysec avatar Jun 01 '25 15:06 odaysec

/claim #619

odaysec avatar Jun 02 '25 12:06 odaysec