From e471ab03e971895fcdc2a4b2298ae30180e41b17 Mon Sep 17 00:00:00 2001
From: Pongsatorn <pongsatorn.kanja@gmail.com>
Date: Fri, 8 Aug 2025 23:22:04 +0700
Subject: [PATCH] update pympta.py to only receive from models folder

---
 siwatsystem/pympta.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/siwatsystem/pympta.py b/siwatsystem/pympta.py
index 5e32596..68bef69 100644
--- a/siwatsystem/pympta.py
+++ b/siwatsystem/pympta.py
@@ -54,6 +54,21 @@ def load_pipeline_node(node_config: dict, mpta_dir: str) -> dict:
     return node
 
 def load_pipeline_from_zip(zip_source: str, target_dir: str) -> dict:
+    # Restrict to models directory for security
+    if not zip_source.startswith('models/'):
+        zip_source = os.path.join('models', zip_source)
+    
+    # Validate the path is within models directory (prevent path traversal)
+    try:
+        abs_zip_path = os.path.abspath(zip_source)
+        abs_models_path = os.path.abspath('models')
+        if not abs_zip_path.startswith(abs_models_path):
+            logger.error(f"Security violation: {zip_source} is outside models directory")
+            return None
+    except Exception as e:
+        logger.error(f"Error validating path {zip_source}: {str(e)}")
+        return None
+    
     logger.info(f"Attempting to load pipeline from {zip_source} to {target_dir}")
     os.makedirs(target_dir, exist_ok=True)
     zip_path = os.path.join(target_dir, "pipeline.mpta")