Merge commit from fork

g0blinResearch · g0blin · web-flow · commit 0e6b8ccabf2a · 2026-04-07T17:09:43.000-07:00
* Prevent path traversal when embedding images

* Switch from realpath to abspath to avoid symlink abuse

---------

Co-authored-by: g0blin &lt;g0blin@hackthebox.com&gt;
diff --git a/nbconvert/filters/markdown_mistune.py b/nbconvert/filters/markdown_mistune.py
@@ -437,6 +437,11 @@ def _src_to_base64(self, src: str) -> Optional[str]:
         """
         src_path = os.path.join(self.path, src)
 
+        resolved = os.path.abspath(src_path)
+        allowed_base = os.path.abspath(self.path)
+        if not resolved.startswith(allowed_base + os.sep) and resolved != allowed_base:
+            return None
+
         if not os.path.exists(src_path):
             return None
 
diff --git a/tests/exporters/test_html.py b/tests/exporters/test_html.py
@@ -3,7 +3,10 @@
 # Copyright (c) IPython Development Team.
 # Distributed under the terms of the Modified BSD License.
 
+import base64
+import os
 import re
+from tempfile import TemporaryDirectory
 
 import pytest
 from nbformat import v4
@@ -264,6 +267,31 @@ def test_language_code_error(self):
 
         assert '<html lang="en">' in output
 
+    def test_embed_images_path_traversal_blocked(self):
+        """Path traversal in image src should be blocked when embed_images=True"""
+        with TemporaryDirectory() as parent_dir:
+            # Create a secret file that an attacker would try to exfiltrate
+            secret_content = b"SUPERSECRETCONTENT"
+            with open(os.path.join(parent_dir, "secret.txt"), "wb") as f:
+                f.write(secret_content)
+
+            # Create a temp subdirectory to serve as the notebook's working path
+            with TemporaryDirectory(dir=parent_dir) as notebook_dir:
+                # Build a notebook with path traversal image references
+                nb = v4.new_notebook()
+                nb.cells.append(v4.new_markdown_cell("![exfil](../secret.txt)"))
+                nb.cells.append(v4.new_markdown_cell('<img src="../secret.txt" alt="exfil"/>'))
+
+                exporter = HTMLExporter()
+                exporter.embed_images = True
+                html, _ = exporter.from_notebook_node(
+                    nb, resources={"metadata": {"path": notebook_dir}}
+                )
+
+                # The secret content must NOT appear as base64 in the output
+                target_b64 = base64.b64encode(secret_content).decode()
+                self.assertNotIn(target_b64, html)
+
 
 @pytest.mark.parametrize(
     ("lexer_options"),
