Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBCQ-177-Added additional sanitation for deleting file #988

Merged
merged 3 commits into from
Aug 23, 2024
Merged

SBCQ-177-Added additional sanitation for deleting file #988

merged 3 commits into from
Aug 23, 2024

Conversation

Rajandeep98
Copy link
Collaborator

@Rajandeep98 Rajandeep98 commented Aug 15, 2024
edited
Loading

PS: Change this code to not construct the path from user-controlled data.
Why: _Path injections occur when an application uses untrusted data to construct a file path and access this file without validating its path first.

A user with malicious intent would inject specially crafted values, such as ../, to change the initial intended path. The resulting path would resolve somewhere in the filesystem where the user should not normally have access to._

Changes:
Added static method to sanitize the path before passing it to delete

  • os.basename inbuilt function should remove the additional dir/path attached to name
  • additional constraint to only allow certain character (alphanumeric characters, underscores, hyphens, and dots)
  • as this part of code is only for deleting the mp4 files from predefined directory, adding constraint to only pass mp4 files.

json response:
"videofiles": [
{
"name": "pitest2.mp4",
"date": "2024-06-17 06:06:43 AM",
"size": " 0.492Mb"
},]

@Rajandeep98 Rajandeep98 self-assigned this Aug 15, 2024
@Rajandeep98 Rajandeep98 changed the title Added additional sanitation for deleting file SBCQ-177-Added additional sanitation for deleting file Aug 15, 2024
josekudiyirippil
josekudiyirippil reviewed Aug 19, 2024
View reviewed changes
Copy link
Collaborator

@josekudiyirippil josekudiyirippil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this PR is linked to PR 946 . Sonar cloud is not reporting that issue now. Needs to discuss.

@Rajandeep98 Rajandeep98 force-pushed the SBCQ177_UserControlledPath branch from f2f1404 to a89d7a7 Compare August 23, 2024 17:41
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@josekudiyirippil josekudiyirippil self-requested a review August 23, 2024 18:48
josekudiyirippil
josekudiyirippil approved these changes Aug 23, 2024
View reviewed changes
Copy link
Collaborator

@josekudiyirippil josekudiyirippil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approving

@josekudiyirippil josekudiyirippil merged commit 235fcf7 into bcgov:main Aug 23, 2024
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josekudiyirippil josekudiyirippil josekudiyirippil approved these changes

@midhunmanoj2024 midhunmanoj2024 Awaiting requested review from midhunmanoj2024

@chrsamp chrsamp Awaiting requested review from chrsamp chrsamp is a code owner

Assignees

@Rajandeep98 Rajandeep98

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Rajandeep98 @josekudiyirippil @midhunmanoj2024