Harden local secrets and backup restore

This commit is contained in:
2026-06-05 16:23:38 +02:00
parent 01b8128835
commit 1839328dfe
5 changed files with 11 additions and 2 deletions
+5 -1
View File
@@ -77,6 +77,7 @@ def export_backup_archive(
def _extract_uploads_to_temp(archive: zipfile.ZipFile) -> Path:
temp_dir = Path(tempfile.mkdtemp(prefix="nouri-restore-uploads-"))
temp_root = temp_dir.resolve()
for member in archive.infolist():
if not member.filename.startswith("uploads/") or member.is_dir():
continue
@@ -84,8 +85,11 @@ def _extract_uploads_to_temp(archive: zipfile.ZipFile) -> Path:
if not relative_target:
continue
target_path = temp_dir / relative_target
resolved_target = target_path.resolve()
if not resolved_target.is_relative_to(temp_root):
raise ValueError("Das Backup enthält einen ungültigen Upload-Pfad.")
target_path.parent.mkdir(parents=True, exist_ok=True)
with archive.open(member, "r") as source, target_path.open("wb") as destination:
with archive.open(member, "r") as source, resolved_target.open("wb") as destination:
shutil.copyfileobj(source, destination)
return temp_dir