Skip to content

Commit bd5cf80

Browse files
committed
Python: Add Path Injection tests for realpath and abspath
Not supported currently
1 parent e53ed47 commit bd5cf80

File tree

1 file changed

+36
-2
lines changed

1 file changed

+36
-2
lines changed

python/ql/test/query-tests/Security/CWE-022-PathInjection/path_injection.py

Lines changed: 36 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ def path_injection():
2222

2323

2424
@app.route("/path3")
25-
def safe_path():
25+
def unsafe_path_normpath():
2626
# Normalized, but `open()` is not guarded by `startswith` check
2727
filename = request.args.get('filename', '')
2828
npath = os.path.normpath(os.path.join(STATIC_DIR, filename))
@@ -32,9 +32,43 @@ def safe_path():
3232

3333

3434
@app.route("/path4")
35-
def safe_path():
35+
def safe_path_normpath():
3636
# Normalized, and checked properly
3737
filename = request.args.get('filename', '')
3838
npath = os.path.normpath(os.path.join(STATIC_DIR, filename))
3939
if npath.startswith(STATIC_DIR):
4040
f = open(npath) # OK
41+
42+
43+
@app.route("/path5")
44+
def unsafe_path_realpath():
45+
# Normalized (by `realpath` that also follows symlinks), but not checked properly
46+
filename = request.args.get('filename', '')
47+
npath = os.path.realpath(os.path.join(STATIC_DIR, filename))
48+
f = open(npath) # NOT OK
49+
50+
51+
@app.route("/path6")
52+
def safe_path_realpath():
53+
# Normalized (by `realpath` that also follows symlinks), and checked properly
54+
filename = request.args.get('filename', '')
55+
npath = os.path.realpath(os.path.join(STATIC_DIR, filename))
56+
if npath.startswith(STATIC_DIR):
57+
f = open(npath) # OK
58+
59+
60+
@app.route("/path6")
61+
def unsafe_path_abspath():
62+
# Normalized (by `abspath`), but not checked properly
63+
filename = request.args.get('filename', '')
64+
npath = os.path.abspath(os.path.join(STATIC_DIR, filename))
65+
f = open(npath) # NOT OK
66+
67+
68+
@app.route("/path7")
69+
def safe_path_abspath():
70+
# Normalized (by `abspath`), and checked properly
71+
filename = request.args.get('filename', '')
72+
npath = os.path.abspath(os.path.join(STATIC_DIR, filename))
73+
if npath.startswith(STATIC_DIR):
74+
f = open(npath) # OK

0 commit comments

Comments
 (0)