From e3b9a71fe6a2b4960b8e732ebb8ebcf432ae62df Mon Sep 17 00:00:00 2001 From: Ali Razmjoo Date: Mon, 30 Sep 2024 16:36:44 +0200 Subject: [PATCH 1/2] Fix code scanning alert no. 28: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Ali Razmjoo --- nettacker/api/core.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nettacker/api/core.py b/nettacker/api/core.py index 82163c1e0..bb2ca4037 100644 --- a/nettacker/api/core.py +++ b/nettacker/api/core.py @@ -117,16 +117,17 @@ def get_file(filename): Returns: content of the file or abort(404) """ - if not os.path.normpath(filename).startswith(str(Config.path.web_static_dir)): + base_path = str(Config.path.web_static_dir) + fullpath = os.path.normpath(os.path.join(base_path, filename)) + if not fullpath.startswith(base_path): abort(404) try: - return open(filename, "rb").read() + return open(fullpath, "rb").read() except ValueError: abort(404) except IOError: abort(404) - def api_key_is_valid(app, flask_request): """ check the validity of API key From 97ef714eb5de8409cab5d35866cb035d9758f332 Mon Sep 17 00:00:00 2001 From: Ali Razmjoo Date: Mon, 30 Sep 2024 16:53:41 +0200 Subject: [PATCH 2/2] Update core.py Signed-off-by: Ali Razmjoo --- nettacker/api/core.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nettacker/api/core.py b/nettacker/api/core.py index bb2ca4037..d6059b6e5 100644 --- a/nettacker/api/core.py +++ b/nettacker/api/core.py @@ -128,6 +128,7 @@ def get_file(filename): except IOError: abort(404) + def api_key_is_valid(app, flask_request): """ check the validity of API key