Python logoPython/
PTC-W6004

Audit required: External control of file name or pathPTC-W6004

Minor severityMinor
Security categorySecurity
cwe, a01, a04, cwe-73, owasp-top-10

Python's open() function can take in a relative or absolute path and read its file contents. If a user is provided direct access to the path that is opened, it can have serious security risks.

Bad practice

def read_file(path):
    with open(os.path.join('some/path', path)) as f:
        f.read()

# Someone can exploit `read_file` and see your secrets this way:
read_file('../../../secrets.txt')

Either use a static path:

def read_file(path):
    with open('some/path/to/file.txt') as f:
        f.read()

Or, do some kind of validation to make sure you're not allowing arbitrary file access:

def read_file(filename):
    if filename not in ('x.txt', 'y.txt'):
        return 'Invalid filename'

    with open(os.path.join('some/path', path)) as f:
        f.read()

References