From b74ff39438a54f0aa0241c95a8841a580f8ac18f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20T=C3=B3th?= <kristof.toth@avatao.com>
Date: Thu, 5 Apr 2018 14:43:39 +0200
Subject: [PATCH] Implement directory whitelisting in webide

---
 .../components/source_code_event_handler.py   | 24 +++++++++++++++----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/lib/tfw/components/source_code_event_handler.py b/lib/tfw/components/source_code_event_handler.py
index 6bc020c..43b1972 100644
--- a/lib/tfw/components/source_code_event_handler.py
+++ b/lib/tfw/components/source_code_event_handler.py
@@ -1,7 +1,7 @@
 # Copyright (C) 2018 Avatao.com Innovative Learning Kft.
 # All Rights Reserved. See LICENSE file for details.
 
-from os.path import isfile, join, relpath, exists, isdir
+from os.path import isfile, join, relpath, exists, isdir, realpath
 from glob import glob
 from fnmatch import fnmatchcase
 from collections import Iterable
@@ -13,9 +13,10 @@ from tfw.config.logs import logging
 LOG = logging.getLogger(__name__)
 
 
-class FileManager:
-    def __init__(self, working_directory, selected_file=None, exclude=None):
+class FileManager:  # pylint: disable=too-many-instance-attributes
+    def __init__(self, working_directory, allowed_directories=None, selected_file=None, exclude=None):
         self._exclude, self.exclude = None, exclude
+        self._allowed_directories, self.allowed_directories = None, allowed_directories
         self._workdir, self.workdir = None, working_directory
         self._filename, self.filename = None, selected_file or self.files[0]
 
@@ -39,8 +40,19 @@ class FileManager:
     def workdir(self, directory):
         if not exists(directory) or not isdir(directory):
             raise EnvironmentError('"{}" is not a directory!'.format(directory))
+        if self.allowed_directories:
+            if realpath(directory) not in self._allowed_directories:
+                raise EnvironmentError('Directory "{}" is not in whitelist!'.format(directory))
         self._workdir = directory
 
+    @property
+    def allowed_directories(self):
+        return self._allowed_directories
+
+    @allowed_directories.setter
+    def allowed_directories(self, directories):
+        self._allowed_directories = directories
+
     @property
     def filename(self):
         return self._filename
@@ -75,9 +87,11 @@ class FileManager:
 
 
 class SourceCodeEventHandler(TriggerlessEventHandler):
-    def __init__(self, key, directory, selected_file=None, exclude=None):
+    # pylint: disable=too-many-arguments
+    def __init__(self, key, directory, allowed_directories=None, selected_file=None, exclude=None):
         super().__init__(key)
-        self.filemanager = FileManager(directory, selected_file=selected_file, exclude=exclude)
+        self.filemanager = FileManager(allowed_directories=allowed_directories, working_directory=directory,
+                                       selected_file=selected_file, exclude=exclude)
 
         self.commands = {'read':      self.read,
                          'write':     self.write,