Python: Properly model flask.send_from_directory

To not include `filename` as path-injection sink.
2026-05-01 03:35:13 +02:00 · 2021-10-28 13:41:39 +02:00
parent 228e9e973a
commit 8c3349f40f
5 changed files with 33 additions and 19 deletions
--- a/python/ql/test/library-tests/frameworks/flask/file_sending.py
+++ b/python/ql/test/library-tests/frameworks/flask/file_sending.py
@@ -1,7 +1,7 @@
 from flask import send_from_directory, send_file

-send_from_directory("filepath", "file")  # $ getAPathArgument="filepath" getAPathArgument="file"
-send_from_directory(directory="filepath", filename="file") # $ getAPathArgument="filepath" getAPathArgument="file"
+send_from_directory("dir", "file")  # $ getAPathArgument="dir" getAPathArgument="file"
+send_from_directory(directory="dir", filename="file") # $ getAPathArgument="dir" getAPathArgument="file"

 send_file("file")  # $ getAPathArgument="file"
 send_file(filename_or_fp="file")  # $ getAPathArgument="file"