Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PTC-W6004) Audit required: External control of file name or path #70

Closed
reactive-firewall opened this issue Sep 9, 2024 · 2 comments · Fixed by #71
Closed

(PTC-W6004) Audit required: External control of file name or path #70

reactive-firewall opened this issue Sep 9, 2024 · 2 comments · Fixed by #71
Assignees
@reactive-firewall
Labels
bug Something isn't working enhancement New feature or request Linter Any linter tool or setting file enhancements
Milestone
Code Style Techni...

Comments

@reactive-firewall
Copy link
Owner

Description

Python's open() function can take in a relative or absolute path and read its file contents. If a user is provided direct access to the path that is opened, it can have serious security risks.

Occurrences

There is 1 occurrence of this issue in the repository.

https://github.com/reactive-firewall/multicast/blob/v1.4.4/setup.py#L74-L74

See all occurrences on DeepSource → app.deepsource.com/gh/reactive-firewall/multicast/issue/PTC-W6004/occurrences/
@reactive-firewall reactive-firewall self-assigned this Sep 9, 2024
@reactive-firewall reactive-firewall added bug Something isn't working enhancement New feature or request Linter Any linter tool or setting file enhancements labels Sep 9, 2024
reactive-firewall added a commit that referenced this issue Sep 9, 2024
@reactive-firewall
[STYLE] Improved input checking durring bootstrap (- WIP #70 -)
1c44566 
Changes in file setup.py:
 def readFile(filename):
  - fixed PTC-W6004 by improved input checking
@reactive-firewall reactive-firewall linked a pull request Sep 9, 2024 that will close this issue
[STYLE] Improved input checking durring bootstrap (- WIP #70 -) #71
Merged
1 task
@reactive-firewall reactive-firewall mentioned this issue Sep 9, 2024
Merged
1 task
@reactive-firewall
Copy link
Owner Author

During discussion of improvements in PR #71:

@reactive-firewall, here are the details you requested:

  1. any(...) Syntax:

    • The any() function was introduced in Python 2.5. It returns True if any element of the iterable is true. If the iterable is empty, it returns False. You can find the official documentation here.

  2. Triple Double-Quotes:

    • Acknowledged. I will ensure that the triple double-quotes style is maintained for consistency throughout the file.

  3. ValueError Usage:

    • According to the official Python documentation, ValueError is raised when an operation or function receives an argument that has the right type but an inappropriate value. This is not covered by a more precise exception like IndexError. You can find the official documentation here.

  4. Format Strings (f-strings):

    • f-strings were introduced in Python 3.6 as part of PEP 498. They provide a concise and readable way to embed expressions inside string literals. This feature is not available in Python versions prior to 3.6.

@reactive-firewall
Copy link
Owner Author

🤔 ok Let's try this approach:

 	try:
-		if str("""E.md""") not in filename and str("""requirements.txt""") not in filename:
-			raise NotImplementedError("""[CWE-440] Not Implemented.""")
+		allowed_files = ["""E.md""", """requirements.txt"""]
+		if not any(allowed_file in filename for allowed_file in allowed_files):
+			raise ValueError(str(
+			"""[CWE-] Access to the file {} is not allowed."""
+			).format(filename))
 		with open(str("""./{}""").format(str(filename))) as f:
 			theResult = f.read()
-	except Exception:
-		theResult = str(
-			"""See https://github.com/reactive-firewall/multicast/{}"""
-		).format(filename)
+	except Exception as err:
+		theResult = str(
+			"""See https://github.com/reactive-firewall/multicast/{fn}\n{e}"""
+		).format(fn=filename, e=str(err)))

reactive-firewall added a commit that referenced this issue Sep 9, 2024
@reactive-firewall
[MERGE] Merge branches 'feature-70-fix', 'feature-bandit' and 'featur…
61afa26 
…e-67-fix'

* PR #71 (feature-70-fix):
  [REGRESSION] fix for typo in setup.py 🙉
  [PATCH] Applied changes as disscussed in review (- WIP #71 -)
  [PATCH] Improves on fix by using function to practice the D.R.Y. principle (- WIP #71 -)
  [STYLE] Improved input checking durring bootstrap (- WIP #70 -)

* PR #68 (feature-bandit):
  Update .github/workflows/bandit.yml to test auto-fixes
  Update .github/workflows/bandit.yml to point at own fork
  Update bandit.yml
  Create bandit.yml

* PR #69 (feature-67-fix):
  [FIX] Stability fix for error handling (- WIP #67 -)

Changes in file .github/workflows/bandit.yml:
 - New workflow to bandit scan the repo.

Changes in file multicast/__main__.py:
 def doStep(self, *args):
  - fix for error handling by simplifying use of `Exception.args`

Changes in file setup.py:
 def readFile(filename):
  - stability and security improvements to bootstrapping.
@reactive-firewall reactive-firewall mentioned this issue Sep 11, 2024
Closed
26 tasks
@reactive-firewall reactive-firewall linked a pull request Sep 15, 2024 that will close this issue
Release Candidate v1.4.5-RC #75
Closed
26 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reactive-firewall reactive-firewall

Labels
bug Something isn't working enhancement New feature or request Linter Any linter tool or setting file enhancements
Projects
Multicast Project
Status: Done
Milestone
Code Style Technical Debt
1 participant
@reactive-firewall