Can the path returned by the ":path" convertor be trusted? #11541
-
First Check
Commit to Help
Example Codefrom fastapi import FastAPI
app = FastAPI()
@app.get("/files/{file_path:path}")
async def read_file(file_path: str):
# Is this path safe to use?
return {"file_path": file_path} DescriptionFrom a security standpoint, is the string returned from the ":path" converter safe to use? E.g. stripped of anything that would allow bad actors to access files they shouldn't? Flask has this method for sanitizing user provided paths for example: https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename I would assume it is, from some basic testing it seems to return 404 errors if a user tries to do some stuff with ".." in the path. If so, it would be nice to call this out in the documentation to let users know that the string already has been sanitized. ps. I also posted here, but have not received any response as of yet: encode/starlette#2585 Operating SystemLinux Operating System DetailsNo response FastAPI Version0.110 Pydantic Version2.6 Python Version3.8 Additional ContextNo response |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
I did not get a 404 when testing, instead I could access unintended files anywhere in the filesystem (using FastAPI 0.111.0). from fastapi import FastAPI
app = FastAPI()
@app.get("/file/{file_path:path}")
def get_path(file_path: str):
print(file_path)
with open(file_path, "r") as f:
content = f.read()
return content curl http://localhost:8000/file/..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd Result:
|
Beta Was this translation helpful? Give feedback.
I did not get a 404 when testing, instead I could access unintended files anywhere in the filesystem (using FastAPI 0.111.0).
Result: