File tree Expand file tree Collapse file tree 1 file changed +24
-0
lines changed
Filter options
Expand file tree Collapse file tree 1 file changed +24
-0
lines changed
Original file line number Diff line number Diff line change 11import os
22
3+ # Example of a secure function that doesn't suffer from path traversal
34def safe_path (path ):
45 base_dir = os .path .dirname (os .path .abspath (__file__ ))
56 filepath = os .path .normpath (os .path .join (base_dir , path ))
67 if base_dir != os .path .commonpath ([base_dir , filepath ]):
78 return None
89 return filepath
910
11+ # Following the above, this is the secure version of the respective function on code.py
12+ def get_prof_picture (self , path = None ):
13+ # setting a profile picture is optional
14+ if not path :
15+ pass
16+
17+ # defends against path traversal attacks
18+ if path .startswith ('/' ) or path .startswith ('..' ):
19+ return None
20+
21+ # builds path
22+ base_dir = os .path .dirname (os .path .abspath (__file__ ))
23+ prof_picture_path = os .path .normpath (os .path .join (base_dir , path ))
24+ if base_dir != os .path .commonpath ([base_dir , prof_picture_path ]):
25+ return None
26+
27+ with open (prof_picture_path , 'rb' ) as pic :
28+ picture = bytearray (pic .read ())
29+
30+ # assume that image is returned on screen after this
31+ return prof_picture_path
32+
33+
1034# Solution explanation
1135
1236# Path Traversal vulnerability
You can’t perform that action at this time.
0 commit comments