Improper validation of input data, leading to potential data leaks. The path should be checked and validated before opening a file in order to prevent opening random files and leaking data.
defdownload_file1(request):url=request.GET.get("filename")print(f"url of the file: {url}")file=open(url,"rb")withopen(url)asf:passpassdefdownload_file2(request):url=request.POST.get("filename")print(f"url of the file: {url}")file=open(url,"rb")withopen(url)asf:passpassdefdownload_file3(request):url=request.BLA.get("filename")print(f"url of the file: {url}")file=open(url,"rb")withopen(url)asf:passpass
Compliant Code Examples
importosdefdownload_file(request):url=request.GET.get("filename")if".."inurl:returnsanitized_path=os.path.realpath(url,strict=True)print(f"url of the file: {url}")file=open(sanitized_path,"rb")withopen(sanitized_path)asf:passpass
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- python-django # Rules to enforce Python django.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines