13 lines
506 B
Plaintext
13 lines
506 B
Plaintext
==== os.path.join(path, \*paths)
|
|
|
|
This function should not be used as a validator.
|
|
|
|
The standard library states: *"if a component is an absolute path, all previous
|
|
components are discarded, and linking continues from the component with the
|
|
absolute path."*
|
|
|
|
This means that including untrusted data in any of the path parameters can lead
|
|
to a full or partial path traversal vulnerability.
|
|
|
|
https://blog.sonarsource.com/10-unknown-security-pitfalls-for-python/[This Sonar blog post] talks about this issue.
|