SuspiciousFileOperation on Django 4.2.14 django-static-sitemaps 5.0.0

[mpasternak]

Hi,

I am again running into something resembling issue #19 ,

it looks like the directory to STATICSITEMAPS_ROOT cannot be absolute with the current setup.

I don't think there is anything bad with absolute paths, as I am running my code on Docker and the path is both /staticroot and /mediaroot and there's a Docker volume mounted.

Currently I mitigated this issue by settings in my settings.py:

STATICSITEMAPS_ROOT_DIR = os.path.relpath(STATIC_ROOT, start=os.getcwd())

... but I guess this is far from ideal.

The traceback:

name = '/Users/mpasternak/bpp-media/sitemaps/sitemap-jednostka-1.xml', allow_relative_path = True

    def validate_file_name(name, allow_relative_path=False):
        # Remove potentially dangerous names
        if os.path.basename(name) in {"", ".", ".."}:
            raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)

        if allow_relative_path:
            # Ensure that name can be treated as a pure posix path, i.e. Unix
            # style (with forward slashes).
            path = pathlib.PurePosixPath(str(name).replace("\\", "/"))
            if path.is_absolute() or ".." in path.parts:
>               raise SuspiciousFileOperation(
                    "Detected path traversal attempt in '%s'" % name
E                   django.core.exceptions.SuspiciousFileOperation: Detected path traversal attempt in '/Users/mpasternak/bpp-media/sitemaps/sitemap-jednostka-1.xml'

allow_relative_path = True
name       = '/Users/mpasternak/bpp-media/sitemaps/sitemap-jednostka-1.xml'
path       = PurePosixPath('/Users/mpasternak/bpp-media/sitemaps/sitemap-jednostka-1.xml')

../../Library/Caches/pypoetry/virtualenvs/bpp-iplweb-61_RsGZW-py3.11/lib/python3.11/site-packages/django/core/files/utils.py:17: SuspiciousFileOperation