Ensure that the load file paths are children of the storage directory. #5522

docs/en_US/external_database.rst

@@ -1,35 +1,37 @@
 .. _external_database:
 
 ****************************************************
-`External database for pgAdmin configuration`:index:
+`External database for pgAdmin user settings`:index:
 ****************************************************
 
-The configurations used by pgAdmin are stored in the SQLite database.
-There are many settings stored in this database, like preferences,
-user accounts, auto-discovered servers, and many more.
+The user settings used by pgAdmin are stored in a SQLite database. In this
+database, many settings are stored, such as preferences, user accounts,
+auto-discovered servers, and many more.
 
-In SQLite, the database is stored in a single file that may be located anywhere
-in the directory, which means it is not prepared for failure (no HA support).
-In addition, it is not designed to handle many connections reading/writing data
-concurrently.
+As SQLite is a file-based database and it can be anywhere in the file system,
+so it is not designed to take care of failures (no HA support). Furthermore,
+it isn't designed to handle multiple connections concurrently reading/writing
+data to it. Example: In environments such as Kubernetes it may be useful to
+use an alternate backend to avoid using SQLite on non-ephemeral storage and to
+allow HA of the settings database.
 
-pgAdmin added support for storing configurations in an external database to
-prevent this.
-
-Added the 'CONFIG_DATABASE_URI' parameter in the :ref:`config.py <config_py>`
-file.
+In order to prevent this, pgAdmin now supports storing user settings in an
+external database using the new 'CONFIG_DATABASE_URI' parameter in the
+:ref:`config.py <config_py>` file.
 
 Use SQLite Database
 *******************
 
-To use SQLite Database, make sure CONFIG_DATABASE_URI is empty string, such as
-''.
+In order to use SQLite Database, make sure CONFIG_DATABASE_URI parameter is
+set to an empty string like ''. By default it is set to an empty string in the
+config.py so if you would like to use SQLite database then no need to change
+anything.
 
 Use External Database
 *********************
 
-If you want to use an external database, make sure the CONFIG_DATABASE_URI
-format is "dialect+driver://username:password@host:port/database".
+In order to use an external database, make sure CONFIG_DATABASE_URI parameter
+is set like "dialect+driver://username:password@host:port/database".
 
 **Note** It is recommended to create the database in advance.
 

docs/en_US/release_notes_6_16.rst

@@ -43,3 +43,5 @@ Bug fixes
   | `Issue #5465 <https://github.com/pgadmin-org/pgadmin4/issues/5465>`_ -  Fixed an issue where the screen was freezing while closing the wcDocker panel.
   | `Issue #5473 <https://github.com/pgadmin-org/pgadmin4/issues/5473>`_ -  Fixed an issue where AutoComplete was not working correctly due to incorrect regex.
   | `Issue #5475 <https://github.com/pgadmin-org/pgadmin4/issues/5475>`_ -  Fixed an issue where the 'Confirm on close or refresh' setting was ignored when closing the query/ERD tool opened in the new tab.
+  | `Issue #5507 <https://github.com/pgadmin-org/pgadmin4/issues/5507>`_ -  Fixed an issue where pgadmin does not respect reverse proxy any more.
+  | `Issue #5522 <https://github.com/pgadmin-org/pgadmin4/issues/5522>`_ -  Ensure that the load file paths are children of the storage directory.

web/pgadmin/tools/sqleditor/__init__.py

@@ -1792,7 +1792,7 @@ def script():
 def load_file():
     """
     This function gets name of file from request data
-    reads the data and sends back in reponse
+    reads the data and sends back in response
     """
     if request.data:
         file_data = json.loads(request.data, encoding='utf-8')
@@ -1801,6 +1801,11 @@ def load_file():
 
     # retrieve storage directory path
     storage_manager_path = get_storage_directory()
+    try:
+        Filemanager.check_access_permission(storage_manager_path, file_path)
+    except Exception as e:
+        return internal_server_error(errormsg=str(e))
+
     if storage_manager_path:
         # generate full path of file
         file_path = os.path.join(