Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix sonar vulnerability #184

Closed
zerasul opened this issue Oct 9, 2020 · 3 comments · Fixed by #187
Closed

Fix sonar vulnerability #184

zerasul opened this issue Oct 9, 2020 · 3 comments · Fixed by #187
Labels
bug Something isn't working hacktoberfest
Projects
0.2.2

Comments

@zerasul
Copy link
Owner

zerasul commented Oct 9, 2020

In the last sonar report, there is a new Sonar Vulnerability.

https://sonarcloud.io/project/issues?id=blask-project-key&issues=AXMIshR2KcdFByWoFtd2&open=AXMIshR2KcdFByWoFtd2
@zerasul zerasul added bug Something isn't working hacktoberfest labels Oct 9, 2020
@dukebody
Copy link
Contributor

@zerasul I understand that the issue is that the user can input any filename in the URL and the system will open and render it. We need to clean it so it only allows opening files from the base directory, not traversing filepaths.

@dukebody
Copy link
Contributor

The solution is to use safe_join instead of path_join I believe: https://tedboy.github.io/flask/interface_api.useful_funcs.html#flask.safe_join

dukebody added a commit to dukebody/blask that referenced this issue Oct 17, 2020
@dukebody
Fix unsafe path opening vulnerability.
7b98f4b 
Fixes zerasul#184.
@dukebody dukebody mentioned this issue Oct 17, 2020
Merged
@zerasul zerasul added this to To do in 0.2.2 via automation Oct 17, 2020
@zerasul
Copy link
Owner Author

zerasul commented Oct 17, 2020

Thanks a lot for the help @dukebody i already merged the pull request.

@zerasul zerasul closed this as completed Oct 17, 2020
0.2.2 automation moved this from To do to Done Oct 17, 2020
@zerasul zerasul mentioned this issue Oct 31, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working hacktoberfest
Projects
No open projects
0.2.2
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix unsafe path opening vulnerability. dukebody/blask
2 participants
@dukebody @zerasul