Merge pull request #538 from kimocoder/alert-autofix-16

Potential fix for code scanning alert no. 16: Uncontrolled data used in path expression

Author: kimocoder

wifite/attack/portal/server.py

@@ -224,6 +224,10 @@ def _serve_static_file(self, path):
         try:
             # Remove /static/ prefix and ensure a relative path
             file_path = path[8:].lstrip('/\\')  # Remove '/static/' and any leading separators
+            if not file_path:
+                self._send_error_response(404, 'Not Found')
+                return
+
             filename = os.path.basename(file_path)
 
             # Try to get cached static file from server instance
@@ -248,6 +252,17 @@ def _serve_static_file(self, path):
             static_dir = os.path.realpath(os.path.join(portal_dir, 'static'))
             # Build and normalize full path to requested file
             full_path = os.path.realpath(os.path.join(static_dir, file_path))
+
+            # Enforce that the requested file stays under static_dir
+            if os.path.commonpath([static_dir, full_path]) != static_dir:
+                log_warning('Portal', f'Blocked path traversal attempt: {path}')
+                self._send_error_response(403, 'Forbidden')
+                return
+
+            if not os.path.isfile(full_path):
+                self._send_error_response(404, 'Not Found')
+                return
+            full_path = os.path.realpath(os.path.join(static_dir, file_path))
 
             # Security check: ensure file is within static directory
             if os.path.commonpath([static_dir, full_path]) != static_dir: