Audit required: External control of file name or path PTC-W6004
External variable 'ssa_path' used in file path
918
919 first_slide_frame_num = int(first_slide_frame_num)
920
921 with open(ssa_path, "r") as ssa_file, open( 922 transcript_json_path, "r"
923 ) as transcript_json_file:
924 ssa = json.load(ssa_file)External variable 'audio_path' used in file path
269 elif isinstance(model, str):
270 model = load_fasterwhisper_model(model)
271
272 with open(audio_path, "rb") as f:273 segments, transcription_info = model.transcribe(f, beam_size=5)
274
275 results = []External variable 'transcript_save_file' used in file path
655 transcript_json_save_path=None,
656):
657 """Write ``transcript`` to ``transcript_save_file`` and ``transcript_json`` to ``transcript_json_save_path``."""
658 with open(transcript_save_file, "w+") as file_results:659 logger.info("Writing text transcript to file " + str(transcript_save_file))
660 file_results.write(transcript)
661External variable 'raw_save_file' used in file path
371 json_save_file (str): The path to save the json output. A ".json" file.
372 """
373 logger.info("Writing raw text to file " + str(raw_save_file))
374 with open(raw_save_file, "w+") as file_results:375 for item in raw_texts:
376 file_results.write(item + "\r\n")
377 logger.debug("Raw text written to " + str(raw_save_file))
Description
Python's open() function can take in a relative or absolute path and read its file contents.
If a user is provided direct access to the path that is opened, it can have serious security risks.
Bad practice
def read_file(path):
with open(os.path.join('some/path', path)) as f:
f.read()
# Someone can exploit `read_file` and see your secrets this way:
read_file('../../../secrets.txt')
Recommended
Either use a static path:
def read_file(path):
with open('some/path/to/file.txt') as f:
f.read()
Or, do some kind of validation to make sure you're not allowing arbitrary file access:
def read_file(filename):
if filename not in ('x.txt', 'y.txt'):
return 'Invalid filename'
with open(os.path.join('some/path', path)) as f:
f.read()
References
- OWASP Top 10 2021 Category A01 - Broken Access Control
- OWASP Top 10 2021 Category A04 - Insecure Design
- CWE-73 External Control of File Name or Path