From 4e0874e1bede38aca8127db70e4eda9696456382 Mon Sep 17 00:00:00 2001
From: liangyongxiong <liangyongxiong1@huawei.com>
Date: Tue, 23 Jun 2020 12:14:29 +0800
Subject: [PATCH] enhance robust validation for --url-path-prefix parameter

---
 .gitignore                       |  2 ++
 mindinsight/scripts/start.py     | 16 ++++++++++++----
 mindinsight/ui/public/index.html |  2 +-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 115748c..41d884f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -86,3 +86,5 @@ build/*
 
 output/
 !output/README.md
+
+mindinsight/ui/public/static/js/graphvizlib.wasm
diff --git a/mindinsight/scripts/start.py b/mindinsight/scripts/start.py
index 77a847c..3dcff48 100644
--- a/mindinsight/scripts/start.py
+++ b/mindinsight/scripts/start.py
@@ -122,7 +122,8 @@ class PortAction(argparse.Action):
 class UrlPathPrefixAction(argparse.Action):
     """Url Path prefix action class definition."""
 
-    REGEX = r'^(\/[a-zA-Z0-9-\-\.]+)+$'
+    INVALID_SEGMENTS = ('.', '..')
+    REGEX = r'^[a-zA-Z0-9_\-\.]+$'
 
     def __call__(self, parser, namespace, values, option_string=None):
         """
@@ -135,8 +136,12 @@ class UrlPathPrefixAction(argparse.Action):
             option_string (str): Optional string for specific argument name. Default: None.
         """
         prefix = values
-        if not re.match(self.REGEX, prefix):
-            parser.error(f'{option_string} value is invalid url path prefix')
+        segments = prefix.split('/')
+        for index, segment in enumerate(segments):
+            if not segment and index in (0, len(segments) - 1):
+                continue
+            if segment in self.INVALID_SEGMENTS or not re.match(self.REGEX, segment):
+                parser.error(f'{option_string} value is invalid url path prefix')
 
         setattr(namespace, self.dest, prefix)
 
@@ -186,7 +191,10 @@ class Command(BaseCommand):
             type=str,
             action=UrlPathPrefixAction,
             help="""
-                Custom path prefix for web page address. Default value is ''.
+                Custom URL path prefix for web page address. URL path prefix 
+                consists of segments separated by slashes. Each segment supports
+                alphabets / digits / underscores / dashes / dots, but cannot just 
+                be emtpy string / single dot / double dots. Default value is ''.
             """)
 
         for hook in HookUtils.instance().hooks():
diff --git a/mindinsight/ui/public/index.html b/mindinsight/ui/public/index.html
index 0a7a789..ef79e69 100644
--- a/mindinsight/ui/public/index.html
+++ b/mindinsight/ui/public/index.html
@@ -21,7 +21,7 @@ limitations under the License.
   <meta charset="utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=edge" />
   <meta name="viewport" content="width=device-width,initial-scale=1.0" />
-  <link rel="icon" href="<%= BASE_URL %>/static/img/favicon.png" />
+  <link rel="icon" href="static/img/favicon.png" />
   <title>MindInsight</title>
   <style>
     .errorInfo {
-- 
GitLab