SuspiciousFileOperation on Django 4.2.14 django-static-sitemaps 5.0.0

[mpasternak]

Hi,

I am again running into something resembling issue #19 ,

it looks like the directory to STATICSITEMAPS_ROOT cannot be absolute with the current setup.

I don't think there is anything bad with absolute paths, as I am running my code on Docker and the path is both /staticroot and /mediaroot and there's a Docker volume mounted.

Currently I mitigated this issue by settings in my settings.py:

STATICSITEMAPS_ROOT_DIR = os.path.relpath(STATIC_ROOT, start=os.getcwd())

... but I guess this is far from ideal.

The traceback:

name = '/Users/mpasternak/bpp-media/sitemaps/sitemap-jednostka-1.xml', allow_relative_path = True

    def validate_file_name(name, allow_relative_path=False):
        # Remove potentially dangerous names
        if os.path.basename(name) in {"", ".", ".."}:
            raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)

        if allow_relative_path:
            # Ensure that name can be treated as a pure posix path, i.e. Unix
            # style (with forward slashes).
            path = pathlib.PurePosixPath(str(name).replace("\\", "/"))
            if path.is_absolute() or ".." in path.parts:
>               raise SuspiciousFileOperation(
                    "Detected path traversal attempt in '%s'" % name
E                   django.core.exceptions.SuspiciousFileOperation: Detected path traversal attempt in '/Users/mpasternak/bpp-media/sitemaps/sitemap-jednostka-1.xml'

allow_relative_path = True
name       = '/Users/mpasternak/bpp-media/sitemaps/sitemap-jednostka-1.xml'
path       = PurePosixPath('/Users/mpasternak/bpp-media/sitemaps/sitemap-jednostka-1.xml')

../../Library/Caches/pypoetry/virtualenvs/bpp-iplweb-61_RsGZW-py3.11/lib/python3.11/site-packages/django/core/files/utils.py:17: SuspiciousFileOperation

[shtalinberg]

I have the same error with Django 4.2.16 and django-static-sitemaps 5.0.0

PROJECT_ROOT = os.path.abspath(os.path.dirname(os.path.dirname(__file__)))
MANAGE_ROOT = os.path.dirname(PROJECT_ROOT)
REPOSITORY_ROOT = os.path.dirname(MANAGE_ROOT)

def join_to_repo(slug):
    return os.path.join(REPOSITORY_ROOT, slug)

MEDIA_ROOT = join_to_repo('media')
MEDIA_URL = '/media/'
STATICSITEMAPS_ROOT_DIR = os.path.join(MEDIA_ROOT, 'sitemaps')
STATICSITEMAPS_URL = os.path.join(MEDIA_URL, 'sitemaps')
STATICSITEMAPS_MOCK_SITE_PROTOCOL = 'https' if SECURE_SSL_REDIRECT else 'http'

  File "/home/user/wss/project/.venv3/lib/python3.10/site-packages/static_sitemaps/generator.py", line 67, in _write
    self.storage.save(path, ContentFile(output))
  File "/home/user/wss/project/.venv3/lib/python3.10/site-packages/django/core/files/storage/base.py", line 41, in save
    validate_file_name(name, allow_relative_path=True)
  File "/home/user/wss/project/.venv3/lib/python3.10/site-packages/django/core/files/utils.py", line 17, in validate_file_name
    raise SuspiciousFileOperation(
django.core.exceptions.SuspiciousFileOperation: Detected path traversal attempt in '/home/user/wss/project/media/sitemaps/sitemap-categories-1.xml'

all python-Django code is located here
/home/user/wss/project/src/
/home/user/wss/project/src/manage.py

[shtalinberg]

I tried to use the lower Django version and found it works with Django 4.2.13 and breaks with Django 4.2.14 (something changed here )

[shtalinberg]

django/django@2b00edc - it seems that these changes broke everything

[JohnnyBoomKek]

fixed by replacing absolute path to relative
STATICSITEMAPS_ROOT_DIR = BASE_PATH / 'sitemaps'
to
STATICSITEMAPS_ROOT_DIR = 'sitemaps'

[shtalinberg]

yes, it can work locally, but the realities of production life are usually such that the media folder is located outside the code and you need to specify the absolute path