Restrict SaveJSONFile() to the Grafana\public folder

GridProtectionAlliance · Dec 10, 2024 · 219bc28 · 219bc28
1 parent 59ef0d2
commit 219bc28
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/Source/Applications/openHistorian/openHistorian/DataHub.cs b/Source/Applications/openHistorian/openHistorian/DataHub.cs
@@ -1272,11 +1272,11 @@ public bool CheckIfUpdateCOMTRADECountersIsCompleted(uint operationHandle) =>
         /// <returns>URL to download filename.</returns>
         public string SaveJSONFile(string targetFilePath, string json)
         {
-            string localPath = FilePath.GetAbsolutePath("");
+            string localPath = FilePath.GetAbsolutePath(@"Grafana\public");
             targetFilePath = FilePath.GetAbsolutePath(targetFilePath);
 
             // Prevent file saves outside local file path
-            if (!targetFilePath.StartsWith(localPath))
+            if (!targetFilePath.StartsWith(localPath, StringComparison.OrdinalIgnoreCase))
                 throw new SecurityException("Path access error: Cannot save JSON file outside local file path.");
 
             // Prevent saving data that is not valid JSON (helps prevent possible function abuse)