Skip to content

remove leading slashes for check path start #497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bitterpanda63 merged 12 commits into from
Oct 16, 2025
Merged

remove leading slashes for check path start #497

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
1b562d9
remove leading slashes for check path start
bitterpanda63 Oct 8, 2025
dc5194e
Update aikido_zen/vulnerabilities/path_traversal/unsafe_path_start.py
bitterpanda63 Oct 8, 2025
5bd496e
Apply suggestions from code review
bitterpanda63 Oct 8, 2025
871d2a2
ensure only one leading slahs
bitterpanda63 Oct 8, 2025
d769775
Update aikido_zen/sinks/tests/os_test.py
bitterpanda63 Oct 9, 2025
3b6c6ea
linting
bitterpanda63 Oct 9, 2025
549943b
add test case of regular path trav, with mulitple slashes
bitterpanda63 Oct 9, 2025
f05d93a
Add pathlib sink
bitterpanda63 Oct 9, 2025
9241e1f
Update aikido_zen/sinks/tests/os_test.py
bitterpanda63 Oct 14, 2025
d45f628
Merge branch 'main' into os-sink-remove-leading-slashes
bitterpanda63 Oct 14, 2025
139bb8c
Merge remote-tracking branch 'origin/os-sink-remove-leading-slashes' …
bitterpanda63 Oct 14, 2025
3926a75
remove set_context in favour of test_utils
bitterpanda63 Oct 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions aikido_zen/sinks/tests/os_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,42 @@
from pathlib import Path, PurePath
from unittest.mock import patch
import aikido_zen.sinks.os
from aikido_zen.context import Context
from aikido_zen.errors import AikidoPathTraversal
from aikido_zen.sinks.tests.clickhouse_driver_test import set_blocking_to_true

kind = "path_traversal"


def set_context(param):
wsgi_request = {
"REQUEST_METHOD": "GET",
"HTTP_HEADER_1": "header 1 value",
"HTTP_HEADER_2": "Header 2 value",
"RANDOM_VALUE": "Random value",
"HTTP_COOKIE": "sessionId=abc123xyz456;",
"wsgi.url_scheme": "http",
"HTTP_HOST": "localhost:8080",
"PATH_INFO": "/hello",
"QUERY_STRING": "user=JohnDoe&age=30&age=35",
"CONTENT_TYPE": "application/json",
"REMOTE_ADDR": "198.51.100.23",
}
context = Context(
req=wsgi_request,
body={
"param": param,
},
source="flask",
)
context.set_as_current_context()


@pytest.fixture(autouse=True)
def set_blocking_to_true(monkeypatch):
monkeypatch.setenv("AIKIDO_BLOCK", "1")


def test_ospath_commands():
with patch(
"aikido_zen.vulnerabilities.run_vulnerability_scan"
Expand Down Expand Up @@ -39,6 +71,16 @@ def test_ospath_commands():
mock_run_vulnerability_scan.assert_any_call(kind=kind, op=op, args=args)


def test_os_create_path_with_multiple_slashes():
import os

file_path = "////etc/passwd"
set_context(file_path)
with pytest.raises(AikidoPathTraversal):
full_path = Path("flaskr/resources/blogs/") / file_path
open(full_path, "r").close()


def test_ospath_command_absolute_path():
with patch(
"aikido_zen.vulnerabilities.run_vulnerability_scan"
Expand Down
12 changes: 8 additions & 4 deletions aikido_zen/vulnerabilities/path_traversal/unsafe_path_start.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,17 @@

def starts_with_unsafe_path(file_path, user_input):
"""Check if the file path starts with any dangerous paths and the user input."""
lower_case_path = file_path.lower()
lower_case_user_input = user_input.lower()
path_parsed = trim_leading_slashes(file_path.lower())
input_parsed = trim_leading_slashes(user_input.lower())

for dangerous_start in dangerous_path_starts:
if lower_case_path.startswith(dangerous_start) and lower_case_path.startswith(
lower_case_user_input
if path_parsed.startswith(dangerous_start) and path_parsed.startswith(
input_parsed
):
return True

return False


def trim_leading_slashes(path: str) -> str:
return "/" + path.lstrip("/")
Loading