python-dotenv icon indicating copy to clipboard operation
python-dotenv copied to clipboard

Published 20 hours ago verified publisher icon theskumar

Configure `dotenv_values`'s search space

Open nevercodecorrect opened this issue 11 months ago • 0 comments

Currently the user-specified path could point to any folder and dotenv will parse them anyway even if it is files like /etc/passwd. The content of the target file would be available in the error message. This could potentially introduce the path traversal vulnerability if the developer misuses it.

from dotenv import load_dotenv
from dotenv import dotenv_values
import os
config = dotenv_values("../../../etc/passwd")

I am wondering if it is possible to give dotenv_values an additional arguments to control if it would support relative path searching.

nevercodecorrect avatar Mar 20 '24 09:03 nevercodecorrect