SuspiciousOperation when loading image in django

Question

I'm deploying a web application in django and there is one page that loads some images from my static files that is returning the following error:

SuspiciousOperation at /wallet
Attempted access to '/coins/' denied.

I've been reading that it is because the media file but I don't understand it because all the other static files load correctly. I'm using s3 from aws.

This is my s3 configuration file:

import datetime
import os
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
AWS_ACCESS_KEY_ID = "whatever"
AWS_SECRET_ACCESS_KEY = "whatever"
AWS_STORAGE_BUCKET_NAME = 'xxx'
AWS_S3_CUSTOM_DOMAIN = '%s.s3.us-east-2.amazonaws.com' % AWS_STORAGE_BUCKET_NAME
AWS_S3_OBJECT_PARAMETERS = {
    'CacheControl': 'max-age=86400',
}
AWS_LOCATION = 'static'

STATICFILES_DIRS = [
    os.path.join(BASE_DIR, '../static'),
]
STATIC_URL = 'https://%s/%s/' % (AWS_S3_CUSTOM_DOMAIN, AWS_LOCATION)
STATICFILES_STORAGE = 'storages.backends.s3boto3.S3Boto3Storage'
MEDIA_URL = ''
MEDIA_ROOT = ''

and the whole error in debug mode is the following one:

Environment:


Request Method: GET
Request URL: http://ip/wallet

Django Version: 2.0.5
Python Version: 3.6.6
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'profiles',
 'portfolios',
 'django_extensions',
 'rest_framework',
 'corsheaders',
 'storages']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'corsheaders.middleware.CorsMiddleware',
 'django.middleware.common.CommonMiddleware']


Template error:
In template /home/ubuntu/chimpy/templates/base.html, error at line 54
   Attempted access to '/coins/' denied.
   44 : 
   45 :     {% load static %}
   46 :     {#        #}
   47 :     
   48 :         Hola {{ request.user }}
   49 :     
   50 : 
   51 : 
   52 :     
   53 :         Panel
   54 :         Cartera
   55 :         Histórico
   56 :         Ajustes
   57 :     
   58 :     
   59 :         Suribit
   60 :         
   61 :         Hola {{ request.user }}
   62 :         
   63 : {#        make it a double button#}
   64 :     


Traceback:

File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in _normalize_name
  377.             return safe_join(self.location, name)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/utils.py" in safe_join
  79.         raise ValueError('the joined path is located outside of the base path'

During handling of the above exception (the joined path is located outside of the base path component), another exception occurred:

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
  35.             response = get_response(request)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  128.                 response = self.process_exception_by_middleware(e, request)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  126.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  21.                 return view_func(request, *args, **kwargs)

File "/home/ubuntu/chimpy/portfolios/views.py" in portfolio_edit
  149.                        'user_lapse': user_lapse})

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/shortcuts.py" in render
  36.     content = loader.render_to_string(template_name, context, request, using=using)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader.py" in render_to_string
  62.     return template.render(context, request)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/backends/django.py" in render
  61.             return self.template.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
  175.                     return self._render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in _render
  167.         return self.nodelist.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
  943.                 bit = node.render_annotated(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
  910.             return self.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader_tags.py" in render
  155.             return compiled_parent._render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in _render
  167.         return self.nodelist.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
  943.                 bit = node.render_annotated(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
  910.             return self.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader_tags.py" in render
  67.                 result = block.nodelist.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
  943.                 bit = node.render_annotated(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
  910.             return self.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in render
  106.         url = self.url(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in url
  103.         return self.handle_simple(path)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in handle_simple
  118.             return staticfiles_storage.url(path)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in url
  561.         name = self._normalize_name(self._clean_name(name))

File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in _normalize_name
  380.                                       name)

Exception Type: SuspiciousOperation at /wallet
Exception Value: Attempted access to '/coins/' denied.

Many thanks.

Bipul Jain · Accepted Answer

Django Automatically creates paths for media files based on MEDIA_URL i.e. /media/

Values in the field doesn't start with "/" and django considers it as a suspicious value/operation because if it's there with certain tricks you/hackers should be able systems files.

Try changing the field value from '/coins/abc.jpg' to just 'coins/abc.jpg' manually via django shell or sql query.

Django by default creates the value in latter pattern

SuspiciousOperation when loading image in django

Answers (1)

Related Questions