make safe_join behave like os.path.join with *args #1730
Conversation
|
Is there a concrete usecase for this? I would expect this to cause confusion as it's no longer clear which components are trusted. |
|
I often use an another version which protect each single path components from crossing its boundary, depend on the case. I issued a pull request with this version because it was the easier one. e.g. (with base_dir coming from config and the other variables from the user) Checking every single path would be even better for me as it's the version I use most. |
|
I still don't understand which usecase this has. |
|
If you have many path to join you can do: Also you can switch from os.path.join to safe_join without problems even if you use *args. |
|
Couldn't you just do
|
|
Sure, but it would be nice to have safe_join to accept arguments exactly as its counterpart (I'm assuming it's os.path.join(a, *p)). It's easy to implement this behavior without breaking anything and so I proposed the pull request. If you see no value or no need to merge, no problem :) A version which checks every path components could be something like this |
|
You've still not given me a concrete usecase. I'm worried that the proposed API isn't secure in situations where it's assumed to be. On 22 February 2016 08:09:17 CET, Giampaolo Eusebi notifications@github.com wrote:
Sent from my Android device with K-9 Mail. Please excuse my brevity. |
|
I think for security-related functions it makes sense to keep them simple. Extra complexity just makes it more likely that someone uses them in an insecure fashion |
|
To be clear, I'd rather see a behavior where only the basepath is trusted, and the other args are treated as potentially malicious. On 22 February 2016 10:27:16 CET, Adrian notifications@github.com wrote:
Sent from my Android device with K-9 Mail. Please excuse my brevity. |
|
Here only the basepath is trusted https://gist.github.com/geusebi/b152f1ee17a66a9bbeee . Usecase: sometimes I happen to manipulate paths and I have to collect some of these paths from the user and from other untrusted sources. In the end I have a tuple or a list of paths to join, safe_join allow me to do it safely but I have to call it using reduce or with a loop to make it work with multiple paths. This puzzled me the first time as I presumed it was fully compatible with path.join. If I am the only one which thinks it can be useful and if so many (very reasonable) doubts are coming from this simple addition it should probably be refused :) |
|
I'll merge if you update the PR from the gist you posted and add a changelog. (Also you use a generator expression and a loop in the gist, it could be only one) |
|
👍 from me for this PR. With the current behavior of only allowing a single file to be joined to the basepath, we're increasing the likelihood that someone using this function has manually constructed their own insecure "basepath" (which wouldn't truly be a basepath at that point) to accommodate the function definition. |
|
This PR is insecure as well. It treats https://gist.github.com/geusebi/b152f1ee17a66a9bbeee is the correct approach. |
|
@geusebi Could you rebase and add tests? Thanks! |
|
Rebased and added some tests, let me know if you need something else. P.S. Many thanks |
|
Excellent, thanks! |
Make safe_join behave like os.path.join, which accept multiple path components with *args.
Note that only the ``directory'' 's bound is respected and the path components are only joined together.