diff --git a/src/Raven.Server/Web/Studio/DataDirectoryInfo.cs b/src/Raven.Server/Web/Studio/DataDirectoryInfo.cs index b1f3549aeb3c..15d720177861 100644 --- a/src/Raven.Server/Web/Studio/DataDirectoryInfo.cs +++ b/src/Raven.Server/Web/Studio/DataDirectoryInfo.cs @@ -38,7 +38,7 @@ public DataDirectoryInfo( bool getNodesInfo, int requestTimeoutInMs, Stream responseBodyStream) { _serverStore = serverStore; - _path = path; + _path = SanitizePath(path); _name = name; _isBackup = isBackup; _getNodesInfo = getNodesInfo; @@ -46,6 +46,11 @@ public DataDirectoryInfo( _responseBodyStream = responseBodyStream; } + private string SanitizePath(string path) + { + return Path.GetFileName(path); + } + public async Task UpdateDirectoryResult(string databaseName, string error) { var drivesInfo = PlatformDetails.RunningOnPosix ? DriveInfo.GetDrives() : null; diff --git a/src/Raven.Server/Web/Studio/StudioTasksHandler.cs b/src/Raven.Server/Web/Studio/StudioTasksHandler.cs index e91a9dbf02e6..52c3a7dec68b 100644 --- a/src/Raven.Server/Web/Studio/StudioTasksHandler.cs +++ b/src/Raven.Server/Web/Studio/StudioTasksHandler.cs @@ -17,7 +17,6 @@ using Sparrow.Json; using Sparrow.Json.Parsing; using Voron.Util.Settings; - namespace Raven.Server.Web.Studio { public sealed class StudioTasksHandler : ServerRequestHandler @@ -27,6 +26,14 @@ public sealed class StudioTasksHandler : ServerRequestHandler public async Task FullDataDirectory() { var path = GetStringQueryString("path", required: false); + if (!string.IsNullOrEmpty(path)) + { + path = Path.GetFullPath(path); + if (!path.StartsWith(ServerStore.Configuration.Core.DataDirectory.FullPath)) + { + throw new InvalidOperationException("Invalid path"); + } + } var name = GetStringQueryString("name", required: false); var requestTimeoutInMs = GetIntValueQueryString("requestTimeoutInMs", required: false) ?? 5 * 1000;