Unsanitized dynamic input in file path

Rule ID: python_django_path_traversal
Languages: python
Source: path_traversal.yml

Description

Using unsanitized dynamic input to determine file paths can allow attackers to gain access to files and folders outside of the intended scope. This vulnerability occurs when input provided by users is directly used to access the filesystem without proper validation or sanitization.

Remediations

Do not directly use external input to construct file paths. This can lead to unauthorized file access.
Do sanitize external input used in file paths. Use os.path.normpath to normalize paths and remove any redundant separators in order to prevent path traversal attacks.
```
os.path.normpath(os.path.join(base_directory, user_input))
```

Do use absolute path checks to confirm that the constructed path is within the expected directory

base = os.path.abspath(base_directory)
user_path = os.path.abspath(os.path.join(base_directory, user_input))
if user_path.startswith(base)
  # Handle or reject the input

References

OWASP Path Traversal

Associated CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Top 10

A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_django_path_traversal

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_django_path_traversal