fix(dashboard): make .env sensitive-file guard case-insensitive

Follow-up to #57507: .ENV / .Env.local on case-insensitive filesystem
mounts slipped past the guard. Lowercase the name before matching and
add a regression test. Addresses egilewski's open review note.
This commit is contained in:
teknium1 2026-07-03 03:06:55 -07:00 committed by Teknium
parent 62882b8e6f
commit 7485fe0605
2 changed files with 19 additions and 2 deletions

View file

@ -1192,8 +1192,13 @@ _FS_READDIR_HIDDEN = {
# and exposing them through the dashboard file browser is a security leak —
# see issue #57505.
def _is_sensitive_filename(name: str) -> bool:
"""Return True for ``.env`` and any ``.env.<suffix>`` variant."""
return name == ".env" or name.startswith(".env.")
"""Return True for ``.env`` and any ``.env.<suffix>`` variant.
Case-insensitive so ``.ENV`` / ``.Env.local`` on case-insensitive
filesystems (macOS/Windows mounts) can't slip past the guard.
"""
lowered = name.lower()
return lowered == ".env" or lowered.startswith(".env.")
_FS_DATA_URL_MAX_BYTES = 16 * 1024 * 1024
_FS_TEXT_SOURCE_MAX_BYTES = 64 * 1024 * 1024
_FS_TEXT_PREVIEW_MAX_BYTES = 512 * 1024

View file

@ -548,3 +548,15 @@ def test_sensitive_env_suffix_variants_blocked(forced_files_client):
p.write_text(f"SECRET_{suffix}=abc123")
assert client.get("/api/files/read", params={"path": str(p)}).status_code == 403
assert client.get("/api/files/download", params={"path": str(p)}).status_code == 403
def test_sensitive_env_case_insensitive_blocked(forced_files_client):
"""Regression: .ENV / .Env.local casings must be blocked too (case-insensitive FS mounts)."""
client, root = forced_files_client
root.mkdir(parents=True, exist_ok=True)
for name in (".ENV", ".Env.local", ".eNv.PROD"):
p = root / name
p.write_text("SECRET=abc123")
assert client.get("/api/files/read", params={"path": str(p)}).status_code == 403
assert client.get("/api/files/download", params={"path": str(p)}).status_code == 403