send-file

No tags

For extra security, make sure the mimetype of the file you are sending is not detected and is clearly defined in your application. If mimetype is not passed and attachment_filename is defined, attachment_filename will be used to detect the mime type.

See CWE-646: Reliance on File Name or Extension of Externally-Supplied File

Ast Rule: function call

send-file

How to write a rule

function visit(node, filename, code) {

  if (!node.functionName || node.functionName.value !== "send_file") {
    return;
  }

  const useLibraryAndFunction = node.context.imports.filter(i => {
    return (i.astType === "fromstatement" && i.pkg.value === "flask" &&
      i.elements &&
      i.elements.filter(e => e.name && e.name.value === "send_file").length > 0);
  }).length > 0;


  if (!useLibraryAndFunction) {
    return;
  }

  const hasArgument = (arguments, name) => {
    return arguments.filter(a => a.name && a.name.value === name).length > 0;
  };

  if (node.arguments && node.arguments.values) {
    const hasMimetype = hasArgument(node.arguments.values, "mimetype");
    const hasAttachmentFilename = hasArgument(node.arguments.values, "attachment_filename");


    if (!hasMimetype && !hasAttachmentFilename) {
      const error = buildError(node.functionName.start.line, node.functionName.start.col,
        node.functionName.end.line, node.functionName.end.col,
        "function send_file needs to have mimetype or attachment_filename", "CRITICAL", "SECURITY");
      const edit1 = buildEditAdd(node.end.line, node.end.col - 1, ', mimetype="text/html"');
      const fix1 = buildFix(`add mimetype argument`, [edit1]);
      const edit2 = buildEditAdd(node.end.line, node.end.col - 1, ', attachment_filename="myfile.ext"');
      const fix2 = buildFix(`add attachment_filename argument`, [edit2]);
      addError(error.addFix(fix1).addFix(fix2));
    }
  }
}

correct.py

Expected test result: no error

from flask import send_file

@app.route('/qr/<path:path>')
def qr_code(path):
    if os.environ.get('WIFIONLY'):
        return ''

    qr = qrcode.QRCode(
        version=1,
        error_correction=qrcode.constants.ERROR_CORRECT_L,
        box_size=10,
        border=4,
    )
    qr.add_data(short_base+path)
    qr.make(fit=True)
    img = io.BytesIO()
    qr.make_image().save(img, 'PNG')
    img.seek(0)
    return send_file(img, mimetype='image/png')

missing.py

Expected test result: no error

from flask import send_file

@app.route('/qr/<path:path>')
def qr_code(path):
    if os.environ.get('WIFIONLY'):
        return ''

    qr = qrcode.QRCode(
        version=1,
        error_correction=qrcode.constants.ERROR_CORRECT_L,
        box_size=10,
        border=4,
    )
    qr.add_data(short_base+path)
    qr.make(fit=True)
    img = io.BytesIO()
    qr.make_image().save(img, 'PNG')
    img.seek(0)
    return send_file(img)

Add comment

Be the first one to leave a comment!