From ae3a8d218e326576078be420831878cfafb57f05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Tue, 7 Apr 2026 07:18:43 +0700
Subject: [PATCH] fix(security)(flask): path traversal risk in
 blueprint.open_resource
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The open_resource method joins the user-provided 'resource' parameter with root_path using os.path.join without sanitizing for path traversal sequences (e.g., '../'). If a developer passes user-controlled input to this method, it could allow reading arbitrary files on the filesystem.

Affected files: blueprints.py

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 src/flask/blueprints.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/flask/blueprints.py b/src/flask/blueprints.py
index b6d4e433..1ef8e752 100644
--- a/src/flask/blueprints.py
+++ b/src/flask/blueprints.py
@@ -121,6 +121,10 @@ class Blueprint(SansioBlueprint):
             raise ValueError("Resources can only be opened for reading.")
 
         path = os.path.join(self.root_path, resource)
+        resolved = os.path.realpath(path)
+
+        if not resolved.startswith(os.path.realpath(self.root_path) + os.sep) and resolved != os.path.realpath(self.root_path):
+            raise ValueError("Detected path traversal: the resource path must be within root_path.")
 
         if mode == "rb":
             return open(path, mode)  # pyright: ignore