send-file

Try in Playground
python-flaskSecurityWarning

0

No tags

CWE-646

For extra security, make sure the mimetype of the file you are sending is not detected and is clearly defined in your application. If mimetype is not passed and attachment_filename is defined, attachment_filename will be used to detect the mime type.

See CWE-646: Reliance on File Name or Extension of Externally-Supplied File

Ast Rule: function call


send-file

How to write a rule
function visit(node, filename, code) {

  if (!node.functionName || node.functionName.value !== "send_file") {
    return;
  }

  const useLibraryAndFunction = node.context.imports.filter(i => {
    return (i.astType === "fromstatement" && i.pkg.value === "flask" &&
      i.elements &&
      i.elements.filter(e => e.name && e.name.value === "send_file").length > 0);
  }).length > 0;


  if (!useLibraryAndFunction) {
    return;
  }

  const hasArgument = (arguments, name) => {
    return arguments.filter(a => a.name && a.name.value === name).length > 0;
  };

  if (node.arguments && node.arguments.values) {
    const hasMimetype = hasArgument(node.arguments.values, "mimetype");
    const hasAttachmentFilename = hasArgument(node.arguments.values, "attachment_filename");


    if (!hasMimetype && !hasAttachmentFilename) {
      const error = buildError(node.functionName.start.line, node.functionName.start.col,
        node.functionName.end.line, node.functionName.end.col,
        "function send_file needs to have mimetype or attachment_filename", "CRITICAL", "SECURITY");
      const edit1 = buildEditAdd(node.end.line, node.end.col - 1, ', mimetype="text/html"');
      const fix1 = buildFix(`add mimetype argument`, [edit1]);
      const edit2 = buildEditAdd(node.end.line, node.end.col - 1, ', attachment_filename="myfile.ext"');
      const fix2 = buildFix(`add attachment_filename argument`, [edit2]);
      addError(error.addFix(fix1).addFix(fix2));
    }
  }
}

correct.py

Expected test result: no error

from flask import send_file

@app.route('/qr/<path:path>')
def qr_code(path):
    if os.environ.get('WIFIONLY'):
        return ''

    qr = qrcode.QRCode(
        version=1,
        error_correction=qrcode.constants.ERROR_CORRECT_L,
        box_size=10,
        border=4,
    )
    qr.add_data(short_base+path)
    qr.make(fit=True)
    img = io.BytesIO()
    qr.make_image().save(img, 'PNG')
    img.seek(0)
    return send_file(img, mimetype='image/png')

missing.py

Expected test result: no error

from flask import send_file

@app.route('/qr/<path:path>')
def qr_code(path):
    if os.environ.get('WIFIONLY'):
        return ''

    qr = qrcode.QRCode(
        version=1,
        error_correction=qrcode.constants.ERROR_CORRECT_L,
        box_size=10,
        border=4,
    )
    qr.add_data(short_base+path)
    qr.make(fit=True)
    img = io.BytesIO()
    qr.make_image().save(img, 'PNG')
    img.seek(0)
    return send_file(img)
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.