fix: Prevent vfolder request-download API from accessing host files…

…ystem
lablup · Dec 11, 2024 · a0c74cd · a0c74cd
1 parent 0b0ae9d
commit a0c74cd
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/ai/backend/storage/api/client.py b/src/ai/backend/storage/api/client.py
@@ -156,7 +156,7 @@ class Params(TypedDict):
                 if (dst_dir := params["dst_dir"]) is not None:
                     parent_dir = vfpath / dst_dir
                 file_path = parent_dir / token_data["relpath"]
-                file_path.relative_to(vfpath)
+                file_path.resolve().relative_to(vfpath)
                 if not file_path.exists():
                     raise FileNotFoundError
             except (ValueError, FileNotFoundError):