Codemod: path-traversal-join Semgrep #685

clavedeluna · 2024-07-01T11:50:50Z

running semgrep on pygoat

 ❯❱ python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join
          Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability,
          which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or       
          os.path.realpath or Path library.                                                                   
          Details: https://sg.run/Dovo                                                                        
                                                                                                              
          916┆ file=request.POST["blog"]
          917┆ try :
          918┆     dirname = os.path.dirname(__file__)
          919┆     filename = os.path.join(dirname, file)
          920┆     file = open(filename,"r")
          921┆     data = file.read()
          922┆     return render(request,"Lab/ssrf/ssrf_lab.html",{"blog":data})
          923┆ except:
          924┆     return render(request, "Lab/ssrf/ssrf_lab.html", {"blog": "No blog found"})

I don't believe we currently have a codemod for this pattern, but we could use deterministically try to implement the suggestion semgrep is giving us.

The text was updated successfully, but these errors were encountered:

clavedeluna added new-codemod Description for a new codemod semgrep labels Jul 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Codemod: path-traversal-join Semgrep #685

Codemod: path-traversal-join Semgrep #685

clavedeluna commented Jul 1, 2024

Codemod: path-traversal-join Semgrep #685

Codemod: path-traversal-join Semgrep #685

Comments

clavedeluna commented Jul 1, 2024