Fix code scanning alert - Uncontrolled data used in path expression

Question

Fix code scanning alert - Uncontrolled data used in path expression

Closed this issue 3 years ago · 3 comments

SMEISEN commented 3 years ago

Tracking issue for:

https://github.com/SMEISEN/RidingCoachApp/security/code-scanning/2
Do not allow more than a single “.” character.
Do not allow directory separators such as “/” or “\” (depending on the file system).
Do not rely on simply replacing problematic sequences such as “../”. For example, after applying this filter to “…/…//”, the resulting string would still be “../”.
Use an allowlist of known good patterns.

Answer 1 · 2021-12-26T17:19:10.000Z

remove all dots and directory delimiters from the filename before using

Answer 2 · 2021-12-26T17:34:23.000Z

test = "../test/../test\\.../...//test.csv"

# remove slashes and backslashes
test = test.replace("/", "").replace("\\", "")

# remove multiple dots
dots = test.count(".")
dots = [f"{i*'.'}" for i in range(2,dots)]
for dot in dots:
    test = test.replace(dot, "")

Answer 3 · 2022-01-23T09:03:17.000Z

use https://werkzeug.palletsprojects.com/en/2.0.x/utils/#werkzeug.utils.secure_filename