From b5ab941788f6232b4f9313432ea7bfb61389fbfd Mon Sep 17 00:00:00 2001 From: AarDG10 Date: Tue, 24 Mar 2026 17:50:32 +0530 Subject: [PATCH] fix: validate path in render_include Validate the parsed path in render_include by canonicalizing the path --- frappe/model/utils/__init__.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/frappe/model/utils/__init__.py b/frappe/model/utils/__init__.py index 7a6ce01c44..61c26b21ad 100644 --- a/frappe/model/utils/__init__.py +++ b/frappe/model/utils/__init__.py @@ -57,6 +57,7 @@ class InvalidIncludePath(frappe.ValidationError): def render_include(content): """render {% raw %}{% include "app/path/filename" %}{% endraw %} in js file""" + import os content = cstr(content) @@ -69,7 +70,13 @@ def render_include(content): for path in paths: app, app_path = path.split("/", 1) - with open(frappe.get_app_path(app, app_path), encoding="utf-8") as f: + + resolved_path = os.path.realpath(frappe.get_app_path(app, app_path)) + app_root = os.path.realpath(frappe.get_app_path(app)) + if not resolved_path.startswith(app_root + os.sep): + frappe.throw(frappe._("Security Error: The Path provided is not safe.")) + + with open(resolved_path, encoding="utf-8") as f: include = f.read() if path.endswith(".html"): include = html_to_js_template(path, include)