From a83f56a8a538407b395845cda7d74ba964cd1a40 Mon Sep 17 00:00:00 2001
From: Calum Lind <calumlind+deluge@gmail.com>
Date: Sat, 24 Aug 2024 20:22:11 +0100
Subject: [PATCH] [WebUI] Fix js script dir traversal vulnerability

Normalise the path to find scripts and skip any scripts located outside
of the deluge scripts directory.

Ref: GHSL-2024-188
Issue: https://github.com/deluge-torrent/deluge/security/advisories/GHSA-3mmw-mvr2-44rw
---
 deluge/ui/web/server.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/deluge/ui/web/server.py b/deluge/ui/web/server.py
index ffa9461d7..e88c96969 100644
--- a/deluge/ui/web/server.py
+++ b/deluge/ui/web/server.py
@@ -449,8 +449,18 @@ class ScriptResource(resource.Resource, component.Component):
                     filepath = filepath[0]
 
                 path = filepath + lookup_path[len(pattern) :]
+                path = os.path.abspath(path)
+
+                if not os.path.commonpath([path, filepath]) == filepath:
+                    log.warning(
+                        'Script path %s traverses out of common dir %s',
+                        path,
+                        filepath,
+                    )
+                    continue
 
                 if not os.path.isfile(path):
+                    log.warning('Unable to serve script which does not exist: %s', path)
                     continue
 
                 log.debug('Serving path: %s', path)