Python: Add note about / for Django upload_to

I did a test locally, something like import requests req = requests.Request( "POST", "http://127.0.0.1:8000/app/upload-test/", data={"name": "foo"}, files={"upload" : ("wat/haha|!#$%^&", open("foo.txt", "rb"))}, ) # print(req.prepare().body.decode('ascii')) requests.session().send(req.prepare()) and the `wat/` part was stripped from the filename
2026-04-29 18:55:14 +02:00 · 2022-01-28 12:16:52 +01:00
parent f962d8e72c
commit 3e71d7f9bb
1 changed files with 6 additions and 0 deletions
--- a/python/ql/lib/semmle/python/frameworks/Django.qll
+++ b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -2272,6 +2272,12 @@ module PrivateDjango {
   * A parameter that accepts the filename used to upload a file. This is the second
   * parameter in functions used for the `upload_to` argument to a `FileField`.
   *
+   * Note that the value this parameter accepts cannot contain a slash. Even when
+   * forcing the filename to contain a slash when sending the request, django does
+   * something like `input_filename.split("/")[-1]` (so other special characters still
+   * allowed). This also means that although the return value from `upload_to` is used
+   * to construct a path, path injection is not possible.
+   *
   * See
   *  - https://docs.djangoproject.com/en/3.1/ref/models/fields/#django.db.models.FileField.upload_to
   *  - https://docs.djangoproject.com/en/3.1/topics/http/file-uploads/#handling-uploaded-files-with-a-model