From e48e82232d67695d412ba89df7dcea725a991f3d Mon Sep 17 00:00:00 2001 From: Matthias Date: Sun, 7 Aug 2022 10:42:56 +0200 Subject: [PATCH] Force response API to js to fix faulty system configs closes #7147 --- freqtrade/rpc/api_server/web_ui.py | 7 ++++++- tests/rpc/test_rpc_apiserver.py | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/freqtrade/rpc/api_server/web_ui.py b/freqtrade/rpc/api_server/web_ui.py index b04269c61..e1a277b30 100644 --- a/freqtrade/rpc/api_server/web_ui.py +++ b/freqtrade/rpc/api_server/web_ui.py @@ -1,4 +1,5 @@ from pathlib import Path +from typing import Optional from fastapi import APIRouter from fastapi.exceptions import HTTPException @@ -50,8 +51,12 @@ async def index_html(rest_of_path: str): filename = uibase / rest_of_path # It's security relevant to check "relative_to". # Without this, Directory-traversal is possible. + media_type: Optional[str] = None + if filename.suffix == '.js': + # Force text/javascript for .js files - Circumvent faulty system configuration + media_type = 'application/javascript' if filename.is_file() and is_relative_to(filename, uibase): - return FileResponse(str(filename)) + return FileResponse(str(filename), media_type=media_type) index_file = uibase / 'index.html' if not index_file.is_file(): diff --git a/tests/rpc/test_rpc_apiserver.py b/tests/rpc/test_rpc_apiserver.py index b7161e680..6bbf3cff6 100644 --- a/tests/rpc/test_rpc_apiserver.py +++ b/tests/rpc/test_rpc_apiserver.py @@ -109,6 +109,9 @@ def test_api_ui_fallback(botclient, mocker): rc = client_get(client, "/something") assert rc.status_code == 200 + rc = client_get(client, "/something.js") + assert rc.status_code == 200 + # Test directory traversal without mock rc = client_get(client, '%2F%2F%2Fetc/passwd') assert rc.status_code == 200