From c63db67b04fc4662566c1cbd44acd16a68355f79 Mon Sep 17 00:00:00 2001 From: Andrew Date: Fri, 21 Nov 2025 14:02:02 -0400 Subject: [PATCH 1/3] Fix bad parameter in delete call on import dir cleanup --- app/classes/shared/tasks.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/app/classes/shared/tasks.py b/app/classes/shared/tasks.py index 7be22c73..79ff5d2d 100644 --- a/app/classes/shared/tasks.py +++ b/app/classes/shared/tasks.py @@ -5,6 +5,7 @@ import threading import asyncio import datetime import json +from pathlib import Path from zoneinfo import ZoneInfoNotFoundError from tzlocal import get_localzone from apscheduler.events import EVENT_JOB_EXECUTED @@ -815,15 +816,16 @@ class TasksManager: os.remove(os.path.join(file)) except FileNotFoundError: logger.debug("Could not clear out file from temp directory") - - for file in os.listdir( - os.path.join(self.controller.project_root, "import", "upload") - ): - if self.helper.is_file_older_than_x_days( - os.path.join(self.controller.project_root, "import", "upload", file) - ): + import_path = Path(self.controller.project_root, "import", "upload") + for file in os.listdir(import_path): + file_path = Path(import_path, file).resolve(strict=True) + if not self.helper.validate_traversal(import_path, file_path): + logger.error( + "Traversal detected while deleting import file %s", file_path + ) + if self.helper.is_file_older_than_x_days(Path(import_path, file)): try: - os.remove(os.path.join(file)) + os.remove(Path(import_path, file)) except FileNotFoundError: logger.debug("Could not clear out file from import directory") -- GitLab From 20d6a2a1da9775da8217bb140c69e0adc7c97510 Mon Sep 17 00:00:00 2001 From: Andrew Date: Fri, 21 Nov 2025 14:05:32 -0400 Subject: [PATCH 2/3] Modify variable useage --- app/classes/shared/tasks.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/classes/shared/tasks.py b/app/classes/shared/tasks.py index 79ff5d2d..4134a634 100644 --- a/app/classes/shared/tasks.py +++ b/app/classes/shared/tasks.py @@ -823,9 +823,9 @@ class TasksManager: logger.error( "Traversal detected while deleting import file %s", file_path ) - if self.helper.is_file_older_than_x_days(Path(import_path, file)): + if self.helper.is_file_older_than_x_days(file_path): try: - os.remove(Path(import_path, file)) + os.remove(file_path) except FileNotFoundError: logger.debug("Could not clear out file from import directory") -- GitLab From f40e772eeb16321c84c78518bc2117d0716401ff Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sat, 22 Nov 2025 15:42:05 +0000 Subject: [PATCH 3/3] Update changelog !918 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5c1b234..99adca88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ TBD - Change hour and minute intervals in APScheudler to fix incorrect triggers ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/910)) - Use asyncio locks to limit upload handler race condition ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/907)) - Fix static fonts not working on some browsers ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/906)) +- Fix import directory cleanup was not pointing to the proper directory ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/918)) ### Tweaks TBD ### Lang -- GitLab