Description
If any scripts dynamically read or write files based on user input, it's possible for an attacker to use ../ (dot-dot-slash) sequences to escape the intended directory and access sensitive system files (Path Traversal).
Proposed Solution
I propose auditing the file I/O operations and implementing os.path.abspath validation or using pathlib.Path.resolve() to ensure all dynamically constructed paths remain strictly within their intended directory boundaries.
I would love to work on this critical security issue under the GSSoC '24 program! Could you please assign it to me?
Description
If any scripts dynamically read or write files based on user input, it's possible for an attacker to use
../(dot-dot-slash) sequences to escape the intended directory and access sensitive system files (Path Traversal).Proposed Solution
I propose auditing the file I/O operations and implementing
os.path.abspathvalidation or usingpathlib.Path.resolve()to ensure all dynamically constructed paths remain strictly within their intended directory boundaries.I would love to work on this critical security issue under the GSSoC '24 program! Could you please assign it to me?