jlengrand/bugsink
1
0
Fork 0
mirror of https://github.com/jlengrand/bugsink.git synced 2026-03-10 08:01:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

(extra) check on storage event_id uuid-ness before using in filenames

Browse Source
This commit is contained in:
Klaas van Schelven
2025-07-29 15:08:02 +02:00
parent b8b179ff94
commit fe5527308c
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
events/storage.py
View File

@@ -1,3 +1,4 @@
import uuid
import contextlib
import os.path
from pathlib import Path
@@ -41,6 +42,13 @@ class FileEventStorage(EventStorage):
def _event_path(self, event_id):
# the dashes in uuid are preserved in the filename for readability; since their location is consistent, this is
# not a problem.
# event_id comes from event.id, i.e. it's a UUID object which is generated by Bugsink itself (i.e. trusted).
# The check below exists exclusively such that the security-implications of os.path.join can be understood right
# here in the code without needing to inspect all call-sites:
if not isinstance(event_id, uuid.UUID):
raise ValueError("event_id must be a UUID")
return os.path.join(self.basepath, str(event_id) + ".json")
@contextlib.contextmanager