Fix security issue and bug in path handling in app.py#45
Conversation
- Resolve "Uncontrolled data used in path expression" by canonicalizing paths with `Path.resolve()` in `load_file` and `dump_results`. - Rename local `open` to `open_` in `dump_results` to avoid shadowing the builtin `open` and maintain compatibility with Python 3.8. - Ensure all file operations use the resolved `Path` objects.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
The persistent CodeQL flags on lines 112, 113 and 145 are expected because the application's core requirement is to allow users to load tensor network data from any filesystem path. However, the underlying security risks have been addressed by this patch in two ways:
Since full filesystem access is an intended feature for this local utility, I will dismiss the alerts as "Risk is acceptable" once this is reviewed. |
mhucka
left a comment
mhucka
left a comment
There was a problem hiding this comment.
A couple of simple changes. This is probably not going to be enough to address the security risk, though. I think you probably have to make sure that the path supplied by the user is limited in some way so that they don't do something like try to read files in /etc or some such. One way to address that concern would be to use the .is_relative_to() method on Path and limit the paths to (perhaps) the directory from which tnco is being executed.
Co-authored-by: Michael Hucka <mhucka@google.com>
Co-authored-by: Michael Hucka <mhucka@google.com>
2 participants
Path.resolve()inload_fileanddump_results.Path(filename).existswas incorrectly referenced as a property rather than called as a methodfilename.exists()opentoopen_indump_resultsto avoid shadowing the builtinopenand maintain compatibility with Python 3.8.Pathobjects.