From: k4.rahul Date: Fri, 5 May 2023 08:48:47 +0000 (+0530) Subject: Coverity-CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path... X-Git-Tag: release-v14.0-start~2 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=refs%2Fchanges%2F38%2F13338%2F4;p=osm%2Fcommon.git Coverity-CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Coverity fix for 137960 Filesystem path, filename, or URI manipulation Change-Id: I0691a9f231d6b7019fe413c261f50262ea7fb923 Signed-off-by: k4.rahul --- diff --git a/osm_common/fsmongo.py b/osm_common/fsmongo.py index 4f4e5eb..2e47039 100644 --- a/osm_common/fsmongo.py +++ b/osm_common/fsmongo.py @@ -235,7 +235,9 @@ class FsMongo(FsBase): if e.errno != errno.ENOENT: # This is probably permission denied or worse raise - os.symlink(link, file_path) + os.symlink( + link, os.path.realpath(os.path.normpath(os.path.abspath(file_path))) + ) else: folder = os.path.dirname(file_path) if folder not in valid_paths: diff --git a/releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml b/releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml new file mode 100644 index 0000000..9eb9a90 --- /dev/null +++ b/releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml @@ -0,0 +1,21 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### +--- +security: + - | + Coverity-CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') + Coverity fix for 137960 Filesystem path, filename, or URI manipulation