51 lines
1.2 KiB
Plaintext
51 lines
1.2 KiB
Plaintext
|
=== How to fix it in Flask
|
||
|
|
|
||
|
|
:code_impact: read
|
||
|
|
include::../../common/fix/code-rationale.adoc[]
|
||
|
|
|
||
|
|
==== Noncompliant code example
|
||
|
|
|
||
|
|
[source,python,diff-id=1,diff-type=noncompliant]
|
||
|
|
----
|
||
|
|
from flask import Flask, request, send_from_directory
|
||
|
|
|
||
|
|
app = Flask('example')
|
||
|
|
|
||
|
|
@app.route('/example')
|
||
|
|
def example():
|
||
|
|
my_file = request.args['my_file']
|
||
|
|
return send_file("static/%s" % my_file, as_attachment=True) # Noncompliant
|
||
|
|
----
|
||
|
|
|
||
|
|
==== Compliant solution
|
||
|
|
|
||
|
|
[source,python,diff-id=1,diff-type=compliant]
|
||
|
|
----
|
||
|
|
from flask import Flask, request, send_from_directory
|
||
|
|
|
||
|
|
app = Flask('example')
|
||
|
|
|
||
|
|
@app.route('/example')
|
||
|
|
def example():
|
||
|
|
my_file = request.args['my_file']
|
||
|
|
return send_from_directory('static', my_file)
|
||
|
|
----
|
||
|
|
|
||
|
|
=== How does this work?
|
||
|
|
|
||
|
|
:auto_canonicalization_function: send_from_directory
|
||
|
|
|
||
|
|
The universal method to prevent path injection is to validate paths created
|
||
|
|
from untrusted data. This can be done either manually or automatically,
|
||
|
|
depending on whether the library includes a data sanitization feature and the
|
||
|
|
required function.
|
||
|
|
|
||
|
|
Here, {auto_canonicalization_function} can be considered a secure-by-design API.
|
||
|
|
|
||
|
|
include::../../common/fix/function-based-validation.adoc[]
|
||
|
|
|
||
|
|
=== Pitfalls
|
||
|
|
|
||
|
|
include::../../common/pitfalls/python-path-join.adoc[]
|
||
|
|
|