Is there an existing issue for this?
What happened?
Is there an existing issue for this?
I have searched the existing issues and this has not been reported.
Describe the bug
In backend/app/routes/face_clusters.py lines 221-242, the file
path received from the request payload is used directly in
os.path.isfile() and open() without any boundary validation.
Code
file_path = request.body.get("image_path")
if os.path.isfile(file_path):
with open(file_path, "rb") as f:
data = f.read()Problem
A path like ../../Documents/private.pdf or
../../AppData/Roaming/com.pictopy.app/settings.json
would pass the os.path.isfile() check and allow reading
files outside the intended image directories.
Impact
- Read files outside designated image folders
- Access PictoPy's own database and settings files
- Access user's personal documents
- Low risk currently (desktop-only) but becomes critical
if network/sharing features are added in future
Expected Behavior
The backend should validate that the provided path stays
within the registered image directories before processing.
Proposed Fix
base_dir = os.path.abspath(ALLOWED_IMAGES_DIR)
requested = os.path.abspath(file_path)
if not requested.startswith(base_dir):
raise HTTPException(
status_code=400,
detail="Invalid file path"
)Classification
- Type: Path Traversal / Directory Traversal
- CWE: CWE-22
- Severity: Low (desktop-only, local access required)
Steps to Reproduce
- Start PictoPy backend
- Send POST request to face search endpoint with
image_path set to a path traversal payload
- Observe that files outside image directories are accessible
Environment
- OS: Windows/Linux/macOS
- PictoPy version: 1.1.0
Record
Is there an existing issue for this?
What happened?
Is there an existing issue for this?
I have searched the existing issues and this has not been reported.
Describe the bug
In
backend/app/routes/face_clusters.pylines 221-242, the filepath received from the request payload is used directly in
os.path.isfile()andopen()without any boundary validation.Code
Problem
A path like
../../Documents/private.pdfor../../AppData/Roaming/com.pictopy.app/settings.jsonwould pass the
os.path.isfile()check and allow readingfiles outside the intended image directories.
Impact
if network/sharing features are added in future
Expected Behavior
The backend should validate that the provided path stays
within the registered image directories before processing.
Proposed Fix
Classification
Steps to Reproduce
image_path set to a path traversal payload
Environment
Record