Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix code scanning alert no. 28: Uncontrolled data used in path expression #932

Closed
wants to merge 1 commit into from

Conversation

arkid15r
Copy link
Collaborator

@arkid15r arkid15r commented Oct 1, 2024

Fixes https://github.com/OWASP/Nettacker/security/code-scanning/28

To fix the problem, we need to ensure that the filename parameter is securely validated before being used to access the file system. The best way to do this is to:

  1. Normalize the path to remove any relative path components.
  2. Ensure that the resulting path is within the intended directory by comparing the common prefix of the normalized path and the base directory.

We will modify the get_file function to include these steps.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…sion

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Arkadii Yakovets <[email protected]>
@arkid15r arkid15r closed this Oct 1, 2024
@arkid15r arkid15r deleted the autofix/alert-28-6dcd9ca511 branch October 21, 2024 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant