-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TP2000-1269 Resolve uncontrolled data used in path expression alert #1257
TP2000-1269 Resolve uncontrolled data used in path expression alert #1257
Conversation
92eedc4
to
8ae72b4
Compare
8ae72b4
to
adbe367
Compare
adbe367
to
728afc5
Compare
"File name must only include alphanumeric characters and special characters such as spaces, hyphens and underscores.", | ||
) | ||
validate_filename(uploaded_taric_file.name) | ||
validate_filepath(uploaded_taric_file) | ||
|
||
try: | ||
xml_file = parse_xml(uploaded_taric_file) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Despite the current validation (and after various other validation attempts), one CodeQL alert warning that uploaded_taric_file
is an uncontrolled user input still remains.
It may just be a false positive, where the scanner overlooks how we're having to access the name
attribute on the InMemoryUploadedFile
object to validate its filename, and not a str
or other such object that can be directly acted upon to satisfy the scanner's expectations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the code scan alert is a false positive, then I think it should be okay to mark it as such, perhaps referencing this comment in the accompanying message.
TP2000-1269 Resolve uncontrolled data used in path expression alert
Why
The filenames of TARIC files uploaded in the importer form could use some validation and sanitisation.
What
validate_filename
andvalidate_filepath
, that can be used to guard against malicious filenames and path traversal attacksImportBatch
based on the uploaded TARIC file