Skip to content

Python: Small fixup for flask.send_from_directory #6989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 28, 2021
Merged

Python: Small fixup for flask.send_from_directory #6989

merged 5 commits into from
Oct 28, 2021

Conversation

RasmusWL
Copy link
Member

A few fixups to #6330

I think the most controversial thing is in 8c3349f, where I exclude the filename arugment from being a path-injection sink. This could have been done in a different way. I considered adding a new concept for this (since htat is what we usually do), but I felt that would become WAY too query specific. So I ended up just going directly to the query.

I also questioned the value in even modeling the filename argument as a FileSystemAccess -- asking myself who would ever benefit from this bit of modeling? I'm not sure... but from our very general concept, it doesn't seem obvious that arguments that accepts paths, which are internally made safe from path-injection should be excluded (although simply removing that modeling would have been an easy fix for sure).

@RasmusWL RasmusWL requested a review from a team as a code owner October 28, 2021 11:51
yoff
yoff approved these changes Oct 28, 2021
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The concept you would consider would basically be "path-injection-sanitizer", so I approve of using the existing one for that rather than creating a new one.
If a useful, more general concept appear (RelativePathAccess?), we can reshuffle things.

@yoff yoff merged commit beb0902 into github:main Oct 28, 2021
@RasmusWL RasmusWL deleted the flask-file-sending-fixup branch October 28, 2021 12:35
@RasmusWL RasmusWL mentioned this pull request Sep 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yoff yoff yoff approved these changes

Assignees
No one assigned
Labels
documentation Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RasmusWL @yoff