You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
These two vulnerabilities can lead to some nasty security consequences and are fairly easy to fix, so i would advise you to patch them. The most trivial fix would be to use werkzeug.secure_filename() function to sanitize the input, but maybe a more detailed code review is needed. For example, the download_file response object from line
is not used, which is probably not the intended behavior.
Please note that i am not a regular contributor to your project. I found the bugs while testing DeepCode’s AI Code Review. The tool can help you automate the process of finding such (and many other types of) bugs. You can sign-up your repo (free for Open Source) to receive notifications whenever new bugs are detected. You can give it a try here.
Hello,
I noticed 2 Path Traversal vulnerabilities in apps/embed/views.py:
The first one allows to overwrite any file with
.zip
extension on the server. The vulnerability is located in line:dataviva-site/dataviva/apps/embed/views.py
Line 423 in 5bb4dac
and can be triggered by executing a request with
title
set to../../../../../../some/file/path
.The second allows to delete any file with extensions
.png, .svg., .pdf, .csv, .url2csv
and is located in lines:dataviva-site/dataviva/apps/embed/views.py
Line 419 in 5bb4dac
and
dataviva-site/dataviva/apps/embed/views.py
Line 430 in 5bb4dac
These two vulnerabilities can lead to some nasty security consequences and are fairly easy to fix, so i would advise you to patch them. The most trivial fix would be to use
werkzeug.secure_filename()
function to sanitize the input, but maybe a more detailed code review is needed. For example, thedownload_file
response object from linedataviva-site/dataviva/apps/embed/views.py
Line 415 in 5bb4dac
is not used, which is probably not the intended behavior.
Please note that i am not a regular contributor to your project. I found the bugs while testing DeepCode’s AI Code Review. The tool can help you automate the process of finding such (and many other types of) bugs. You can sign-up your repo (free for Open Source) to receive notifications whenever new bugs are detected. You can give it a try here.
Any feedback is more than welcome at chibo@deepcode.ai.
Cheers, Victor.
The text was updated successfully, but these errors were encountered: