Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions wifite/attack/portal/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -211,11 +211,13 @@ def _serve_static_file(self, path):

# Fallback to file system if not cached
portal_dir = os.path.dirname(os.path.abspath(__file__))
static_dir = os.path.join(portal_dir, 'static')
full_path = os.path.join(static_dir, file_path)
# Normalize static directory path
static_dir = os.path.realpath(os.path.join(portal_dir, 'static'))
# Build and normalize full path to requested file
full_path = os.path.realpath(os.path.join(static_dir, file_path))

# Security check: ensure file is within static directory
if not os.path.abspath(full_path).startswith(static_dir):
if os.path.commonpath([static_dir, full_path]) != static_dir:
self._send_error_response(403, 'Forbidden')
return
Comment on lines 219 to 222

Copilot AI Feb 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security fix for path traversal lacks test coverage. Consider adding tests to verify that path traversal attempts (e.g., requests to '/static/../../../etc/passwd', '/static/..\..\..\windows\system32\config\sam') are properly blocked and return 403 Forbidden. This would help prevent regressions and validate the fix works correctly across different operating systems.

Copilot uses AI. Check for mistakes.

Comment on lines +220 to 223

Copilot AI Feb 26, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The os.path.commonpath function can raise a ValueError on Windows when paths are on different drives (e.g., C:\ and D:). While unlikely in this context (both paths should be on the same drive), this could cause the entire method to fail instead of gracefully returning a 403 Forbidden response. Consider wrapping the commonpath call in a try-except block or using an alternative approach like checking if the normalized full_path starts with the normalized static_dir followed by os.sep.

Suggested change
if os.path.commonpath([static_dir, full_path]) != static_dir:
self._send_error_response(403, 'Forbidden')
return
try:
common_path = os.path.commonpath([static_dir, full_path])
except ValueError:
# Paths may be on different drives or otherwise incompatible; deny access.
self._send_error_response(403, 'Forbidden')
return
if common_path != static_dir:
self._send_error_response(403, 'Forbidden')
return

Copilot uses AI. Check for mistakes.
Expand Down
Loading