orbit-oss/flask
4
4
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security)(flask): path traversal risk in blueprint.open_resource

Browse source 
The open_resource method joins the user-provided 'resource' parameter with root_path using os.path.join without sanitizing for path traversal sequences (e.g., '../'). If a developer passes user-controlled input to this method, it could allow reading arbitrary files on the filesystem.

Affected files: blueprints.py

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
This commit is contained in:
Trần Bách 2026-04-07 07:18:43 +07:00
parent 258d68b6ff
commit ae3a8d218e
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/flask/blueprints.py
View file

@ -121,6 +121,10 @@ class Blueprint(SansioBlueprint):
raise ValueError("Resources can only be opened for reading.")
path = os.path.join(self.root_path, resource)
resolved = os.path.realpath(path)
if not resolved.startswith(os.path.realpath(self.root_path) + os.sep) and resolved != os.path.realpath(self.root_path):
raise ValueError("Detected path traversal: the resource path must be within root_path.")
if mode == "rb":
return open(path, mode) # pyright: ignore