<h2>Why is this an issue?</h2>

<h3>What is the potential impact?</h3>

<h4>Unauthorized access to sensitive information</h4>

<p>When file or directory permissions grant access to all users on a system (often represented as "others" or "everyone" in permission models),

attackers who gain access to any user account can read sensitive files containing credentials, configuration data, API keys, database passwords,

personal information, or proprietary business data. This exposure can lead to data breaches, identity theft, compliance violations, and competitive

disadvantage.</p>

<h4>Service disruption and data corruption</h4>

<p>Granting write permissions to broad user categories allows any user on the system to modify or delete critical files and directories. Attackers or

compromised low-privileged accounts can corrupt application data, modify configuration files to alter system behavior or disrupt services, or delete

important resources, leading to service outages, system instability, data loss, and denial of service.</p>

<h4>Privilege escalation</h4>

<p>When executable files or scripts have overly permissive permissions, especially when combined with special permission bits that allow programs to

execute with the permissions of the file owner or group rather than the executing user, attackers can replace legitimate executables with malicious

code. When these modified files are executed by privileged users or processes, the attacker’s code runs with elevated privileges, potentially enabling

them to escalate from a low-privileged account to root or administrator access, install backdoors, or pivot to other systems in the network.</p>

<h2>How to fix it</h2>

<p>When using <code>os.umask</code>, set a restrictive umask value that prevents permissions for "others". The umask value <code>0o777</code> ensures

that no permissions are granted to any category by default. This is the most secure approach as it requires explicit permission grants rather than

implicit ones.</p>

<h3>Code examples</h3>

<h4>Noncompliant code example</h4>

<h4>Compliant solution</h4>

<h2>Resources</h2>

<h3>Documentation</h3>

<li>OWASP File Permission Testing Guide - <a

href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission">OWASP guidance on testing file permissions in web applications</a></li>

<li>Python Documentation - os.umask - <a href="https://docs.python.org/3/library/os.html#os.umask">Official Python documentation for the os.umask

function</a></li>

<li>Python Documentation - os.chmod - <a href="https://docs.python.org/3/library/os.html#os.chmod">Official Python documentation for the os.chmod

function</a></li>

<li>Python Documentation - os.lchmod - <a href="https://docs.python.org/3/library/os.html#os.lchmod">Official Python documentation for the os.lchmod

function</a></li>

<li>Python Documentation - os.fchmod - <a href="https://docs.python.org/3/library/os.html#os.fchmod">Official Python documentation for the os.fchmod

function</a></li>

<h3>Standards</h3>

<li>CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a></li>

Development: V-222430</a> - The application must execute without excessive account permissions</li>

<li>OWASP - <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">Top 10 2021 Category A1 - Broken Access Control</a></li>

<li>OWASP - <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">Top 10 2021 Category A4 - Insecure Design</a></li>

<li>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control">Top 10 2017 Category A5 - Broken Access Control -

OWASP Top 10 2017</a></li>

"title": "File permissions should not be set to world-accessible values",

"type": "VULNERABILITY",

},

"quickfix": "unknown"

<code>einops</code> uses a different convention than the <a href="https://ejenner.com/post/einsum">traditional</a> one. In particular, the axis names

<li>Flask Security Considerations - <a href="https://flask.palletsprojects.com/en/stable/web-security/">Flask security best practices and common

<li>Gunicorn Documentation - <a href="https://gunicorn.org/quickstart/">Production WSGI server for Python web applications</a></li>

<p>This is an issue when a Pydantic model field uses <code>Optional[Type]</code> without providing an explicit default value, or when using

<code>Field(…​)</code> with <code>Optional[Type]</code> and the ellipsis operator.</p>

way of explicitly marking a field as required. This creates a direct contradiction: the type hint says the field can be <code>None</code>, but

<code>Field(…​)</code> says it must be provided.</p>

<h3>Exceptions</h3>

<p>Fields typed as <code>Type | None</code>, <code>None | Type</code>, or <code>Union[Type, None]</code> are compliant, with or without a default

value.</p>

<p>These annotations are explicit nullable type declarations and do not imply that the field may be omitted from input data.</p>

<p>When <code>Optional[…​]</code> fields lack explicit default values, the application may reject requests where users omit fields they believe to be

optional. This leads to:</p>

<p>For <code>Optional[…​]</code> fields, avoid the ellipsis form (<code>Field(…​)</code>) and provide an explicit default instead.</p>

from pydantic import BaseModel, Field

from typing import Optional, Union

from pydantic import BaseModel, Field

"latest-update": "2026-03-10T13:34:05.699012606Z",