File Read Path Manipulation Python

Author: sahildari

.github/workflows/python-ci.yml

@@ -10,7 +10,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     env:
-      working-directory: "./Path Manipulation/Path Manipulation while File Upload/python"
+      working-directory-fileupload: "./Path Manipulation/Path Manipulation while File Upload/python"
+      working-directory-fileread: "./Path Manipulation/Path Manipulation while File Read/python"
 
     steps:
       - name: Checkout code
@@ -21,8 +22,14 @@ jobs:
         with:
           python-version: '3.9'
 
-      - name: Install Dependencies
-        working-directory: ${{ env.working-directory }}
+      - name: Install Dependencies for Path Manipulation while File Upload
+        working-directory: ${{ env.working-directory-fileupload }}
+        run: |
+          python -m pip install --upgrade pip
+          pip install .
+      
+      - name: Install Dependencies for Path Manipulation while File Read
+        working-directory: ${{ env.working-directory-fileread }}
         run: |
           python -m pip install --upgrade pip
           pip install .

Path Manipulation/Path Manipulation while File Read/python/MANIFEST.in

@@ -0,0 +1 @@
+recursive-include pathmanipulation/src/templates *

Path Manipulation/Path Manipulation while File Read/python/README.md

@@ -0,0 +1,39 @@
+# Path Manipulation 
+This python project is to help to mitigate the path manipulation issues. You can use the logic in the [pathmanipulation.py](./securecodingexamples/fileread/pathmaniuplation/src/pathmanipulation.py) in your [Flask](https://pypi.org/project/Flask/) or [Django](https://pypi.org/project/Django/) projects or any other Python projects.
+
+## Code Structure
+
+[app.py](./securecodingexamples/fileread/pathmaniuplation/src/app.py) contains the Flask Code to handle the file upload logic with maximum file size.
+
+[pathmanipulation.py](./securecodingexamples/fileread/pathmaniuplation/src/pathmanipulation.py) contains logic for Filename, File extension, Double extension check and null byte checks.
+
+[template](./securecodingexamples/fileread/pathmaniuplation/src/templates/) directory contains the index.html as frontend for the file upload with file type check on the client side.
+
+You can try to play around this by following the Installation steps, check the Usage to run the Flask app.
+
+## Installation
+
+Please note that this project will try to fetch the files from your ___TEMP/Uploads___ directory. You can either manually create your files in the directory, or you can navigate to [Path Manipulation while File Upload Python Project](../../Path%20Manipulation%20while%20File%20Upload/python/) and follow the installation steps and Upload the test files.
+
+_TEMP : temporary Folder in your OS_
+_%TEMP% file in Windows_
+_/tmp Directory in Linux/MacOS_
+
+1. Clone the repository:
+```sh
+git clone https://github.com/sahildari/secure-coding-examples
+cd 'Path Manipulation/Path Manipulation while File Read/python'
+```
+2. Install the package:   
+```sh
+pip install .
+```
+## Usage
+1. Run the Flask app
+```sh
+python run.py
+```
+2. Open in Browser:
+```
+http://127.0.0.1:5000
+```

Path Manipulation/Path Manipulation while File Read/python/run.py

@@ -0,0 +1,6 @@
+#!/usr/bin/env python
+
+from securecodingexamples.fileread.pathmaniuplation.src.app import app
+
+if __name__ == '__main__':
+    app.run(debug=True)

Path Manipulation/Path Manipulation while File Read/python/securecodingexamples/__init__.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+
+from flask import Flask, request, jsonify, render_template, send_file
+import os
+import tempfile
+import logging
+from .pathmanipulation import is_valid_name, is_valid_extension, valid_filename
+
+app = Flask(__name__)
+TEMPDIR = tempfile.gettempdir()
+LOGDIR = os.path.join(TEMPDIR + "/logs/")
+UPLOADDIR = os.path.join(TEMPDIR + "/Uploads/")
+
+os.makedirs(LOGDIR, exist_ok=True)
+
+loglocation = os.path.join(LOGDIR + "app.log")
+logging.basicConfig(
+    level=logging.INFO,
+    handlers= [
+        logging.FileHandler(loglocation),
+        logging.StreamHandler()
+        ]
+    )
+
+logger = logging.getLogger(__name__)
+
+@app.route("/", methods=["GET"])
+def main():
+    files = os.listdir(UPLOADDIR)
+    return render_template("index.html", files=files)  
+
+@app.route("/download/<path:filename>", methods=["GET"])
+def download_file(filename: str):
+    """Handles file upload with validation."""
+    try:
+        if(filename is None or not is_valid_name(filename)):
+            logger.error("Invalid filename")
+            return jsonify({"error": "Invalid filename"}), 400
+        
+        if(filename is None or not is_valid_extension(filename)):
+            logger.error("Invalid extension")
+            return jsonify({"error": "Invalid extension"}), 400
+        
+        if(is_valid_extension(filename) and is_valid_name(filename)):
+            validfilename = valid_filename(filename)
+            logger.info(f"Valid filename: {validfilename}")
+            downloads = os.path.join(UPLOADDIR, validfilename)
+            logger.info("download() method started")
+            logger.info(f"Requested file: {downloads}")
+            return send_file(downloads, as_attachment=True), 200
+
+    except Exception as e:
+        logger.error("download() method failed")
+        logger.error(e)
+        return jsonify({"error": "Internal Server Error"}), 500
+
+if __name__ == '__main__':
+    app.run(debug=True)

Path Manipulation/Path Manipulation while File Read/python/securecodingexamples/fileread/__init__.py

@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+
+import re
+
+FILENAME_REGEX_PATTERN = r"^[a-zA-Z0-9\-\_]+$"
+ALLOWED_EXTENSIONS = set(["txt", "pdf"]) # this example allows the text and pdf files 
+
+
+"""This function checks if the filename is valid and doesn't contain any dot character in the name."""
+def is_valid_name(filename: str) -> bool:
+    name = filename.rsplit('.', 1)[0]
+    regex_match = re.search(FILENAME_REGEX_PATTERN, name)
+    return True if(regex_match != None) else False
+
+"""This function checks for the valid file extensions."""
+def is_valid_extension(filename: str) -> bool:
+    ext = filename.rsplit(".", 1)[1]
+    return True if (ext in ALLOWED_EXTENSIONS) else False
+
+def valid_filename(filename: str) -> str:
+    name, ext = filename.rsplit('.', 1)
+    name = re.sub(r"\.", "", name)
+    name = re.sub(r"\%[A-Za-z0-9]+", "", name)
+    ext = re.sub(r"\%[A-Za-z0-9]+", "", ext)
+    regex_match = re.search(FILENAME_REGEX_PATTERN, name)
+    return f"{regex_match.group(0)}.{ext}" # returns the sanitized filename with the extension for upload and download