Re: Django Exception "Detected path traversal attempt in" for save a model with filefield

This is obviously some type of security feature to prevent someone from climbing up a directory. You have ".." in your string for the file path somewhere. 

What is the value of "dir_name" when the exception is raised? It should be in the traceback somewhere. Should help narrow down where it's coming from. Most likely a mistake you made in your settings file concating strings related to where Django should upload files. 

On Thu, Feb 3, 2022, 2:12 PM Joalbert Palacios <joalbertp@gmail.com> wrote:

Hi group,

I have been updating my django version so as to cover the last security patch with django version 3.2  (current version 3.2.12). 

Unfortunately, after this update the following exception occurs during execution of testing:

Detected path traversal attempt in '/home/joalbert/Documents/Remesas App/RemesasServer/media/payments/images/temp_qHaTViL.png'
Bad Request: /webapp/payment

I have read https://stackoverflow.com/questions/69745412/django-and-suspiciousfileoperationdetected-path-traversal-attempt and followed but not works in my case, maybe I misunderstood something, I would appreciate any help regarding how to fix those exception. 

I read django code and find the errors is in the following section:

def get_available_name(self, name, max_length=None):

"""

Return a filename that's free on the target storage system and

available for new content to be written to.

"""

name = str(name).replace('\\', '/')

dir_name, file_name = os.path.split(name)

if '..' in pathlib.PurePath(dir_name).parts:

raise SuspiciousFileOperation("Detected path traversal attempt in '%s'" % dir_name)

Here it is my code in the sections that code goes by to send response to client.

Model.py:

class Payment(models.Model):

STATUS = ((0, _("Draft")), (1, _("Aproved")), (2 , _("Rejected")), (3, _("Released")))

order_number_id = models.OneToOneField(Exchange_Order, on_delete=models.CASCADE, related_name="order_payment")

user_id =models.ForeignKey(User, verbose_name=_('user'), on_delete= models.CASCADE, related_name="payment_user_id")

capture = models.FileField(verbose_name=_('image'), upload_to="payments/images", max_length=1024)

payment_date = models.DateTimeField(verbose_name=_('date'), default=datetime.now().replace(tzinfo=timezone.utc))

status = models.PositiveSmallIntegerField(verbose_name=_('status'), default=0, choices=STATUS)

reason = models.ForeignKey(Reasons,verbose_name=_('reason'), on_delete=models.CASCADE, related_name="payment_reason",

null=True, blank=True)

def __str__(self) -> str:

return f"{self.order_number_id} {self.user_id.username} {self.payment_date}"

class Meta: #new

verbose_name = _("Payment from Client to 'Activo Digital'")

verbose_name_plural = _("Payments from Client to 'Activo Digital'")

forms.py

class Payment_All_Form(forms.ModelForm):

class Meta:

model = Payment

fields = "__all__"

views.py (only post method is included for clarity)

class PaymentSessionView(LoginRequiredMixin, CreateView):

queryset = Payment.objects.all()

form_class = Payment_Form

http_method_names = ['get', 'post']

template_name="clienteServidor/webapp/payment.html"

@method_decorator(User_Detail_Permission_Web)

def post(self, request, *args, **kwargs):

models = Exchange_Order.objects.filter(status=0, user_id=request.user)

# En caso de que no haya ordenes abiertas

if not models.exists():

context =self._add_context_data()

context["existant"] ="No hay orden abierta"

context["form"] = Payment_Form()

return render(request,self.template_name, context)

# Procesar pago para ordenes abiertas

forms = []

data_list = []

order_ids = []

for model in models:

my_data = self._complete_data(request, model.id)

data_list.append(my_data)

order_ids.append(f"Orden: {model.id}")

forms.append(Payment_All_Form(my_data,request.FILES))

# Chequear que todas las formas sean validas

are_valids = []

for form in forms:

are_valids.append(form.is_valid())

# If any invalid

if False in are_valids:

for index, items in enumerate(are_valids):

if not items:

form = forms[index]

context = self._add_context_data()

context["form"] = form

return render(request,self.template_name, context)

for index, model in enumerate(models):

if index == 0:

forms[index].save()

else:

data_list[index]["order_number_id"]=model

data_list[index]["user_id"]=request.user

datum = {k:v for k,v in data_list[index].items() if k!="csrfmiddlewaretoken"}

payment = Payment(**datum)

payment.save()

model.status=1

model.grouped_orders = order_ids

model.save()

my_message ="Orden Nro "+ str(model.id) + (" fue procesada exitosamente, les estaremos notificando"

" por correo cuando el pago sea validado y procesado en el destino.")

messages.add_message(request, messages.INFO, my_message)

return HttpResponseRedirect(reverse_lazy("transaction_web"))

Settings.py:

MEDIA_ROOT = "./media/"#os.path.join(BASE_DIR, 'media')

MEDIA_URL = '/media/'

I hope sincerely that you could have any answer how to fix it. I really appreciate your help regarding this issue.

Sincerely,

Joalbert

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/35a15616-92fc-41d4-97b3-8fb3061ec881n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAF-Y%3De5AfqxZMjdT6P4XozpqSLwECe6zM9XOUb23PG%2BjhH1K2w%40mail.gmail.com.