diff --git a/src/server/routers/ingest.py b/src/server/routers/ingest.py index 514db272..521b7de0 100644 --- a/src/server/routers/ingest.py +++ b/src/server/routers/ingest.py @@ -112,7 +112,10 @@ async def download_ingest(ingest_id: str) -> FileResponse: - **HTTPException**: **403** - the process lacks permission to read the directory or file """ - directory = TMP_BASE_PATH / ingest_id + # Normalize and validate the directory path + directory = (TMP_BASE_PATH / ingest_id).resolve() + if not str(directory).startswith(str(TMP_BASE_PATH.resolve())): + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"Invalid ingest ID: {ingest_id!r}") if not directory.is_dir(): raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"Digest {ingest_id!r} not found")