From: selvi.j Date: Fri, 28 Apr 2023 06:17:26 +0000 (+0000) Subject: Coverity-CWE 22: Improper Limitation of a Pathname X-Git-Tag: release-v14.0-start~1 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=refs%2Fchanges%2F14%2F13314%2F2;p=osm%2FN2VC.git Coverity-CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Added fix for CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Change-Id: I6e39b16dc2cc796eb91485ff6dcecef38b29377b Signed-off-by: selvi.j --- diff --git a/n2vc/n2vc_conn.py b/n2vc/n2vc_conn.py index 4fa7e36..9e91a10 100644 --- a/n2vc/n2vc_conn.py +++ b/n2vc/n2vc_conn.py @@ -115,19 +115,27 @@ class N2VCConnector(abc.ABC, Loggable): self.log.warning("No HOME environment variable, using /tmp") homedir = "/tmp" sshdir = "{}/.ssh".format(homedir) + sshdir = os.path.realpath(os.path.normpath(os.path.abspath(sshdir))) if not os.path.exists(sshdir): os.mkdir(sshdir) self.private_key_path = "{}/id_n2vc_rsa".format(sshdir) + self.private_key_path = os.path.realpath( + os.path.normpath(os.path.abspath(self.private_key_path)) + ) self.public_key_path = "{}.pub".format(self.private_key_path) + self.public_key_path = os.path.realpath( + os.path.normpath(os.path.abspath(self.public_key_path)) + ) # If we don't have a key generated, then we have to generate it using ssh-keygen if not os.path.exists(self.private_key_path): - cmd = "ssh-keygen -t {} -b {} -N '' -f {}".format( + command = "ssh-keygen -t {} -b {} -N '' -f {}".format( "rsa", "4096", self.private_key_path ) # run command with arguments - subprocess.check_output(shlex.split(cmd)) + args = shlex.split(command) + subprocess.run(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) # Read the public key. Only one public key (one line) in the file with open(self.public_key_path, "r") as file: