-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(PTC-W6004) Audit required: External control of file name or path #70
Labels
bug
Something isn't working
enhancement
New feature or request
Linter
Any linter tool or setting file enhancements
Milestone
Comments
reactive-firewall
added
bug
Something isn't working
enhancement
New feature or request
Linter
Any linter tool or setting file enhancements
labels
Sep 9, 2024
reactive-firewall
added a commit
that referenced
this issue
Sep 9, 2024
Changes in file setup.py: def readFile(filename): - fixed PTC-W6004 by improved input checking
1 task
1 task
During discussion of improvements in PR #71:
|
🤔 ok Let's try this approach: try:
- if str("""E.md""") not in filename and str("""requirements.txt""") not in filename:
- raise NotImplementedError("""[CWE-440] Not Implemented.""")
+ allowed_files = ["""E.md""", """requirements.txt"""]
+ if not any(allowed_file in filename for allowed_file in allowed_files):
+ raise ValueError(str(
+ """[CWE-] Access to the file {} is not allowed."""
+ ).format(filename))
with open(str("""./{}""").format(str(filename))) as f:
theResult = f.read()
- except Exception:
- theResult = str(
- """See https://github.com/reactive-firewall/multicast/{}"""
- ).format(filename)
+ except Exception as err:
+ theResult = str(
+ """See https://github.com/reactive-firewall/multicast/{fn}\n{e}"""
+ ).format(fn=filename, e=str(err))) |
reactive-firewall
added a commit
that referenced
this issue
Sep 9, 2024
…e-67-fix' * PR #71 (feature-70-fix): [REGRESSION] fix for typo in setup.py 🙉 [PATCH] Applied changes as disscussed in review (- WIP #71 -) [PATCH] Improves on fix by using function to practice the D.R.Y. principle (- WIP #71 -) [STYLE] Improved input checking durring bootstrap (- WIP #70 -) * PR #68 (feature-bandit): Update .github/workflows/bandit.yml to test auto-fixes Update .github/workflows/bandit.yml to point at own fork Update bandit.yml Create bandit.yml * PR #69 (feature-67-fix): [FIX] Stability fix for error handling (- WIP #67 -) Changes in file .github/workflows/bandit.yml: - New workflow to bandit scan the repo. Changes in file multicast/__main__.py: def doStep(self, *args): - fix for error handling by simplifying use of `Exception.args` Changes in file setup.py: def readFile(filename): - stability and security improvements to bootstrapping.
26 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Something isn't working
enhancement
New feature or request
Linter
Any linter tool or setting file enhancements
Description
Python's
open()
function can take in a relative or absolute path and read its file contents. If a user is provided direct access to the path that is opened, it can have serious security risks.Occurrences
There is 1 occurrence of this issue in the repository.
https://github.com/reactive-firewall/multicast/blob/v1.4.4/setup.py#L74-L74
See all occurrences on DeepSource → app.deepsource.com/gh/reactive-firewall/multicast/issue/PTC-W6004/occurrences/
The text was updated successfully, but these errors were encountered: