[Security] Fix CodeQL alert #31: Uncontrolled data used in path expression#99
[Security] Fix CodeQL alert #31: Uncontrolled data used in path expression#99colin-d-fried wants to merge 1 commit into
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| img_path = "./static/images/" + img_name | ||
| base_dir = os.path.realpath("./static/images/") | ||
| img_path = os.path.realpath(os.path.join(base_dir, img_name)) | ||
| if not img_path.startswith(base_dir): |
There was a problem hiding this comment.
Path traversal check bypassable via sibling directory prefix
High Severity
The startswith check against base_dir can be bypassed because os.path.realpath strips trailing slashes. If base_dir resolves to e.g. /app/static/images, a request for a file in a sibling directory like /app/static/images_evil/secret.txt would pass the img_path.startswith(base_dir) check. The comparison needs to ensure the path is within the directory by appending os.sep to base_dir (or also allowing an exact match with base_dir itself).
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| if not img_path.startswith(base_dir): | ||
| return 'Access denied', 403 |
There was a problem hiding this comment.
🔴 Path traversal bypass via startswith without trailing separator
The startswith check on line 51 is bypassable. os.path.realpath strips trailing slashes, so base_dir will be e.g. /abs/path/to/static/images. An attacker can request ?name=../images_evil/secret.txt, which resolves to /abs/path/to/static/images_evil/secret.txt. This path passes img_path.startswith(base_dir) because the string /abs/path/to/static/images_evil/... starts with /abs/path/to/static/images, allowing access to files outside the intended directory. The check should use img_path.startswith(base_dir + os.sep) (or also allow an exact match with base_dir).
| if not img_path.startswith(base_dir): | |
| return 'Access denied', 403 | |
| if not (img_path == base_dir or img_path.startswith(base_dir + os.sep)): | |
| return 'Access denied', 403 |
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
Summary
Fixes CodeQL alert #31: Uncontrolled data used in path expression
vulnerable_path_traversal.pyFix Applied
See the diff for the specific secure coding change applied.
Fixes #33
Note
Low Risk
Low-risk, localized change that only affects how
/imageresolves and validates file paths; potential risk is blocking previously-accepted (but unsafe) paths.Overview
Hardens the
/imageroute against path traversal by resolving the requested filename against a real./static/images/base directory and denying requests whose resolved path escapes that base.Replaces string path concatenation with
os.path.join+os.path.realpathand returns403on invalid paths before callingsend_file.Written by Cursor Bugbot for commit a6b7c17. This will update automatically on new commits. Configure here.