zerasul/blask

Fix sonar vulnerability

zerasul opened this issue · 3 comments

@zerasul I understand that the issue is that the user can input any filename in the URL and the system will open and render it. We need to clean it so it only allows opening files from the base directory, not traversing filepaths.

The solution is to use safe_join instead of path_join I believe: https://tedboy.github.io/flask/interface_api.useful_funcs.html#flask.safe_join

Thanks a lot for the help @dukebody i already merged the pull request.