Skip to content

Commit 89ce1e6

Browse files
jkcsogithub-advanced-security[bot]
jkcso
and
github-advanced-security[bot]
authored
Potential fix for code scanning alert no. 46: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent a729f02 commit 89ce1e6

File tree

1 file changed

+2
-6
lines changed

1 file changed

+2
-6
lines changed

Season-1/Level-3/solution.py

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25,14 +25,10 @@ def get_prof_picture(self, path=None):
2525
if not path:
2626
pass
2727

28-
# defends against path traversal attacks
29-
if path.startswith('/') or path.startswith('..'):
30-
return None
31-
3228
# builds path
3329
base_dir = os.path.dirname(os.path.abspath(__file__))
3430
prof_picture_path = os.path.normpath(os.path.join(base_dir, path))
35-
if base_dir != os.path.commonpath([base_dir, prof_picture_path]):
31+
if not prof_picture_path.startswith(base_dir):
3632
return None
3733

3834
with open(prof_picture_path, 'rb') as pic:
@@ -52,7 +48,7 @@ def get_tax_form_attachment(self, path=None):
5248
# Validate the path to prevent path traversal attacks
5349
base_dir = os.path.dirname(os.path.abspath(__file__))
5450
tax_form_path = os.path.normpath(os.path.join(base_dir, path))
55-
if base_dir != os.path.commonpath([base_dir, tax_form_path]):
51+
if not tax_form_path.startswith(base_dir):
5652
return None
5753

5854
with open(tax_form_path, 'rb') as form:

0 commit comments

Comments
 (0)