From 2cdf6ef53e8c5ee2f48da652143fdfe5776d1663 Mon Sep 17 00:00:00 2001
From: billz <billzimmerman@gmail.com>
Date: Fri, 8 Mar 2024 11:15:31 +0100
Subject: [PATCH] Sanitize path to prevent directory traversal

---
 .gitignore               |  1 -
 api/modules/wireguard.py | 16 ++++++++++------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/.gitignore b/.gitignore
index 245d6fa4..a2a77b49 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,4 +5,3 @@ yarn-error.log
 includes/config.php
 rootCA.pem
 vendor
-.env
diff --git a/api/modules/wireguard.py b/api/modules/wireguard.py
index 904d87bb..d7470e69 100644
--- a/api/modules/wireguard.py
+++ b/api/modules/wireguard.py
@@ -1,5 +1,6 @@
 import subprocess
 import re
+import os
 
 def configs():
     #ignore symlinks, because wg0.conf is in production the main config, but in insiders it is a symlink
@@ -24,13 +25,16 @@ def client_config_list(client_config):
     if not re.match(pattern, client_config):
         raise ValueError("Invalid client_config")
 
-    config_path = f"/etc/wireguard/{client_config}"
-    try:
-        with open(config_path, 'r') as f:
-            output = f.read().strip()
-            return output.split('\n')
-    except FileNotFoundError:
+    # sanitize path to prevent directory traversal
+    client_config = os.path.basename(client_config)
+
+    config_path = os.path.join("/etc/wireguard/", client_config)
+    if not os.path.exists(config_path):
         raise FileNotFoundError("Client configuration file not found")
 
+    with open(config_path, 'r') as f:
+        output = f.read().strip()
+        return output.split('\n')
+
 #TODO: where is the logfile??
 #TODO: is service connected?