hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Highlight os.path.join behavior with absolute paths

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2020-12-03 11:08:34 +01:00
parent 4d9f24a24c
commit e53ed478ab
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
python/ql/src/Security/CWE-022/PathInjection.qhelp
View File

@@ -43,7 +43,8 @@ In the second example, it appears that the user is restricted to opening a file
special characters. For example, the string <code>"../../../etc/passwd"</code> will result in the code
reading the file located at <code>"/server/static/images/../../../etc/passwd"</code>, which is the system's
password file. This file would then be sent back to the user, giving them access to all the
system's passwords.
system's passwords. Note that it is still possible to use an absolute path, since the result of
<code>os.path.join("/server/static/images/", "/etc/passwd")</code> is <code>"/etc/passwd"</code>.
</p>
<p>