Fix Docs Reader traversal and add Waldwaechter patch

2025-12-25 22:24:31 +01:00
parent 561ff0750a
commit 811de6f07b
4 changed files with 129 additions and 33 deletions
--- a/app/routers/docs_reader.py
+++ b/app/routers/docs_reader.py
@@ -34,26 +34,13 @@ async def list_docs(req: Request):
    """
    List available documentation files.
    """
-    # Check which exist
    available = []
-
-    # Use configured docs path
-    try:
-        settings = get_settings()
-        base_path = settings.docs_path
-    except:
-        base_path = "docs"
-    
-    # Check if absolute or relative
-    if not os.path.isabs(base_path) and not os.path.exists(base_path):
-        # Fallback for docker containers if path not found relative
-        if os.path.exists("/docs_root"):
-            base_path = "/docs_root"
-        else:
-             base_path = "."
+    base_path = _get_docs_base_path()
    
    for filename, title in ALLOWED_DOCS.items():
-        if os.path.exists(os.path.join(base_path, filename)):
+        # Check root and subdirectories (1 level deep)
+        full_path = _find_file(base_path, filename)
+        if full_path:
            available.append({"name": title, "file": filename})
    
    return req.app.state.render(
@@ -71,22 +58,10 @@ async def view_doc(req: Request, filename: str):
    if filename not in ALLOWED_DOCS:
        raise HTTPException(404, "File not found or not allowed.")
        
-    base_path = "docs"
-    try:
-        settings = get_settings()
-        base_path = settings.docs_path
-    except:
-        pass
-        
-    if not os.path.isabs(base_path) and not os.path.exists(base_path):
-         if os.path.exists("/docs_root"):
-            base_path = "/docs_root"
-         else:
-            base_path = "."
-        
-    file_path = os.path.join(base_path, filename)
+    base_path = _get_docs_base_path()
+    file_path = _find_file(base_path, filename)
    
-    if not os.path.exists(file_path):
+    if not file_path:
        raise HTTPException(404, "File not on server.")
        
    try:
@@ -94,7 +69,6 @@ async def view_doc(req: Request, filename: str):
            content = f.read()
            
        # Convert Markdown to HTML
-        # Extensions for better rendering: tables, fenced_code
        html_content = markdown.markdown(
            content, 
            extensions=['tables', 'fenced_code', 'nl2br']
@@ -110,3 +84,33 @@ async def view_doc(req: Request, filename: str):
        
    except Exception as e:
        raise HTTPException(500, f"Error rendering document: {e}")
+
+def _get_docs_base_path():
+    try:
+        settings = get_settings()
+        base_path = settings.docs_path
+    except:
+        base_path = "docs"
+        
+    if not os.path.isabs(base_path) and not os.path.exists(base_path):
+         if os.path.exists("/docs_root"):
+            base_path = "/docs_root"
+         else:
+            base_path = "."
+    return base_path
+
+def _find_file(base_path, filename):
+    """Find file in base_path or immediate subdirectories."""
+    # 1. Direct match
+    direct = os.path.join(base_path, filename)
+    if os.path.exists(direct):
+        return direct
+        
+    # 2. Check subdirectories (max depth 1)
+    if os.path.isdir(base_path):
+        for entry in os.scandir(base_path):
+            if entry.is_dir():
+                sub_path = os.path.join(entry.path, filename)
+                if os.path.exists(sub_path):
+                    return sub_path
+    return None