(PTC-W6004) Audit required: External control of file name or path

[reactive-firewall]

Description

Python's open() function can take in a relative or absolute path and read its file contents. If a user is provided direct access to the path that is opened, it can have serious security risks.

Occurrences

There is 1 occurrence of this issue in the repository.

https://github.com/reactive-firewall/multicast/blob/v1.4.4/setup.py#L74-L74

See all occurrences on DeepSource → app.deepsource.com/gh/reactive-firewall/multicast/issue/PTC-W6004/occurrences/

[reactive-firewall]

During discussion of improvements in PR #71:

@reactive-firewall, here are the details you requested:

1. any(...) Syntax:

   • The any() function was introduced in Python 2.5. It returns True if any element of the iterable is true. If the iterable is empty, it returns False. You can find the official documentation here.

2. Triple Double-Quotes:

   • Acknowledged. I will ensure that the triple double-quotes style is maintained for consistency throughout the file.

3. ValueError Usage:

   • According to the official Python documentation, ValueError is raised when an operation or function receives an argument that has the right type but an inappropriate value. This is not covered by a more precise exception like IndexError. You can find the official documentation here.

4. Format Strings (f-strings):

   • f-strings were introduced in Python 3.6 as part of PEP 498. They provide a concise and readable way to embed expressions inside string literals. This feature is not available in Python versions prior to 3.6.

[reactive-firewall]

🤔 ok Let's try this approach:

 	try:
-		if str("""E.md""") not in filename and str("""requirements.txt""") not in filename:
-			raise NotImplementedError("""[CWE-440] Not Implemented.""")
+		allowed_files = ["""E.md""", """requirements.txt"""]
+		if not any(allowed_file in filename for allowed_file in allowed_files):
+			raise ValueError(str(
+			"""[CWE-] Access to the file {} is not allowed."""
+			).format(filename))
 		with open(str("""./{}""").format(str(filename))) as f:
 			theResult = f.read()
-	except Exception:
-		theResult = str(
-			"""See https://github.com/reactive-firewall/multicast/{}"""
-		).format(filename)
+	except Exception as err:
+		theResult = str(
+			"""See https://github.com/reactive-firewall/multicast/{fn}\n{e}"""
+		).format(fn=filename, e=str(err)))