Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix sonar vulnerability #184

Closed
zerasul opened this issue Oct 9, 2020 · 3 comments · Fixed by #187
Closed

Fix sonar vulnerability #184

zerasul opened this issue Oct 9, 2020 · 3 comments · Fixed by #187
Labels
bug Something isn't working hacktoberfest
Projects

Comments

@zerasul
Copy link
Owner

zerasul commented Oct 9, 2020

In the last sonar report, there is a new Sonar Vulnerability.

https://sonarcloud.io/project/issues?id=blask-project-key&issues=AXMIshR2KcdFByWoFtd2&open=AXMIshR2KcdFByWoFtd2

@zerasul zerasul added bug Something isn't working hacktoberfest labels Oct 9, 2020
@dukebody
Copy link
Contributor

@zerasul I understand that the issue is that the user can input any filename in the URL and the system will open and render it. We need to clean it so it only allows opening files from the base directory, not traversing filepaths.

@dukebody
Copy link
Contributor

The solution is to use safe_join instead of path_join I believe: https://tedboy.github.io/flask/interface_api.useful_funcs.html#flask.safe_join

dukebody added a commit to dukebody/blask that referenced this issue Oct 17, 2020
@zerasul zerasul added this to To do in 0.2.2 via automation Oct 17, 2020
@zerasul
Copy link
Owner Author

zerasul commented Oct 17, 2020

Thanks a lot for the help @dukebody i already merged the pull request.

@zerasul zerasul closed this as completed Oct 17, 2020
0.2.2 automation moved this from To do to Done Oct 17, 2020
@zerasul zerasul mentioned this issue Oct 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working hacktoberfest
Projects
No open projects
0.2.2
  
Done
Development

Successfully merging a pull request may close this issue.

2 participants