Skip to content

Fix code scanning alert no. 28: Uncontrolled data used in path expression #929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix code scanning alert no. 28: Uncontrolled data used in path expression #929

wants to merge 2 commits into from

Conversation

Ali-Razmjoo
Copy link
Collaborator

Fixes https://github.com/OWASP/Nettacker/security/code-scanning/28

To fix the problem, we need to ensure that the filename parameter is securely validated before being used to access the file system. The best way to do this is to:

  1. Normalize the path to remove any relative path components.
  2. Ensure that the resulting path is within the intended directory by comparing the common prefix of the normalized path and the base directory.

We will modify the get_file function to include these steps.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@Ali-Razmjoo @github-advanced-security
Fix code scanning alert no. 28: Uncontrolled data used in path expres…
e3b9a71 
…sion

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Ali Razmjoo <[email protected]>
@Ali-Razmjoo Ali-Razmjoo marked this pull request as ready for review September 30, 2024 14:38
@Ali-Razmjoo
Update core.py
97ef714 
Signed-off-by: Ali Razmjoo <[email protected]>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 30, 2024
View reviewed changes
nettacker/api/core.py
abort(404)
try:
return open(filename, "rb").read()
return open(fullpath, "rb").read()

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI about 1 year ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkid15r arkid15r Awaiting requested review from arkid15r arkid15r is a code owner

@securestep9 securestep9 Awaiting requested review from securestep9 securestep9 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Ali-Razmjoo