Refactor React route handling to improve security and clarity; add module docstring, normalize path to prevent directory traversal, and ensure static folder is configured.

2025-07-23 01:45:05 +07:00 · 2025-07-23 01:45:05 +07:00 · a2a12b4c49
commit a2a12b4c49
parent 8940d57b25
1 changed files with 26 additions and 12 deletions
--- a/routes/react.py
+++ b/routes/react.py
@ -1,10 +1,13 @@
-import sys
+"""Module to handle the React routes."""
+
 import os
-from flask import Blueprint, send_from_directory, request, render_template
+import sys
+
+from flask import Blueprint, send_from_directory, render_template
 from configs import index_tags

 if getattr(sys, "frozen", False):  # Running as a bundled app
-    base_path = sys._MEIPASS
+    base_path = getattr(sys, "_MEIPASS", os.path.abspath("."))
 else:  # Running in a normal Python environment
    base_path = os.path.abspath(".")

@ -23,12 +26,23 @@ react_bp = Blueprint(
@react_bp.route("/<path:path>", methods=["GET"])
@react_bp.route("/<path>", methods=["GET"])
 def index(path=""):
-    if request.method == "GET":
-        file_path = os.path.join(react_bp.static_folder, path)
-        if path != "" and os.path.exists(file_path):
-            return send_from_directory(react_bp.static_folder, path)
-        elif path.lower() in ["", "cache", "api", "testplayer", "account"]:
-            data = index_tags.tags.get(path.lower(), index_tags.tags["index"])
-            return render_template("index.html", data=data)
-        else:
-            return send_from_directory(react_bp.static_folder, "index.html")
+    """Handle the index route."""
+    # Ensure static_folder is not None
+    if react_bp.static_folder is None:
+        raise ValueError("Static folder is not configured for the blueprint")
+
+    # Normalize the path to prevent directory traversal
+    safe_path = os.path.normpath(path)
+    file_path = os.path.join(react_bp.static_folder, safe_path)
+
+    if path and os.path.exists(file_path):
+        return send_from_directory(react_bp.static_folder, safe_path)
+
+    # Only allow certain paths to render index.html with tags
+    allowed_paths = ["", "cache", "api", "testplayer", "account"]
+    if safe_path.lower() in allowed_paths:
+        data = index_tags.tags.get(safe_path.lower(), index_tags.tags.get("index", {}))
+        return render_template("index.html", data=data)
+
+    # Fallback: serve index.html for all other routes (SPA)
+    return send_from_directory(react_bp.static_folder, "index.html")