Nettacker icon indicating copy to clipboard operation
Nettacker copied to clipboard
verified publisher icon OWASP

Fix code scanning alert no. 28: Uncontrolled data used in path expression

Open Ali-Razmjoo opened this issue 1 year ago • 0 comments

Fixes https://github.com/OWASP/Nettacker/security/code-scanning/28

To fix the problem, we need to ensure that the filename parameter is securely validated before being used to access the file system. The best way to do this is to:

  1. Normalize the path to remove any relative path components.
  2. Ensure that the resulting path is within the intended directory by comparing the common prefix of the normalized path and the base directory.

We will modify the get_file function to include these steps.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Ali-Razmjoo avatar Sep 30 '24 14:09 Ali-Razmjoo