Can the path returned by the ":path" convertor be trusted?

[pythonweb2]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

from fastapi import FastAPI

app = FastAPI()


@app.get("/files/{file_path:path}")
async def read_file(file_path: str):
    # Is this path safe to use?
    return {"file_path": file_path}

Description

From a security standpoint, is the string returned from the ":path" converter safe to use? E.g. stripped of anything that would allow bad actors to access files they shouldn't?

Flask has this method for sanitizing user provided paths for example: https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename

I would assume it is, from some basic testing it seems to return 404 errors if a user tries to do some stuff with ".." in the path.

If so, it would be nice to call this out in the documentation to let users know that the string already has been sanitized.

ps. I also posted here, but have not received any response as of yet: encode/starlette#2585

Operating System

Linux

Operating System Details

No response

FastAPI Version

0.110

Pydantic Version

2.6

Python Version

3.8

Additional Context

No response

[Kludex]

Yes.

[pythonweb2]

@Kludex

Could I add a brief mention of that in the docs of FastAPI? Seems like it would be good to have it there as well.

[nymous]

I did not get a 404 when testing, instead I could access unintended files anywhere in the filesystem (using FastAPI 0.111.0).

from fastapi import FastAPI

app = FastAPI()

@app.get("/file/{file_path:path}")
def get_path(file_path: str):
    print(file_path)
    with open(file_path, "r") as f:
        content = f.read()
    return content

curl http://localhost:8000/file/..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

Result:

root:x:0:0::/root:/bin/bash\nbin:x:1:1::/:/usr/bin/nologin[...]

[Kludex]

Then... No. (changing my answer from above) 😬👍