11class SimulationEnvironment:
12 def __init__(self, config_path):
13 # Load configuration from file
14 with open(config_path) as f:15 config = json.load(f)
16 self.config = config
17
12class SecurityMonitor:
13 def __init__(self, config_path):
14 # Load configuration from file
15 with open(config_path) as f:16 config = json.load(f)
17 self.config = config
18
14class AutonomyEngine:
15 def __init__(self, config_path):
16 # Load configuration from file
17 with open(config_path) as f: 18 config = json.load(f)
19 self.config = config
20
Python's open()
function can take in a relative or absolute path and read its file contents.
If a user is provided direct access to the path that is opened, it can have serious security risks.
def read_file(path):
with open(os.path.join('some/path', path)) as f:
f.read()
# Someone can exploit `read_file` and see your secrets this way:
read_file('../../../secrets.txt')
Either use a static path:
def read_file(path):
with open('some/path/to/file.txt') as f:
f.read()
Or, do some kind of validation to make sure you're not allowing arbitrary file access:
def read_file(filename):
if filename not in ('x.txt', 'y.txt'):
return 'Invalid filename'
with open(os.path.join('some/path', path)) as f:
f.read()