From 8f3ab9a82608ffe74e6fd5d0c532822412dbc88a Mon Sep 17 00:00:00 2001 From: "k4.rahul" Date: Fri, 5 May 2023 14:18:47 +0530 Subject: [PATCH] Coverity-CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Coverity fix for 137960 Filesystem path, filename, or URI manipulation Change-Id: I0691a9f231d6b7019fe413c261f50262ea7fb923 Signed-off-by: k4.rahul --- osm_common/fsmongo.py | 4 +++- .../notes/fix_cwe22-c2677929fb74c79d.yaml | 21 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml diff --git a/osm_common/fsmongo.py b/osm_common/fsmongo.py index 4f4e5eb..2e47039 100644 --- a/osm_common/fsmongo.py +++ b/osm_common/fsmongo.py @@ -235,7 +235,9 @@ class FsMongo(FsBase): if e.errno != errno.ENOENT: # This is probably permission denied or worse raise - os.symlink(link, file_path) + os.symlink( + link, os.path.realpath(os.path.normpath(os.path.abspath(file_path))) + ) else: folder = os.path.dirname(file_path) if folder not in valid_paths: diff --git a/releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml b/releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml new file mode 100644 index 0000000..9eb9a90 --- /dev/null +++ b/releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml @@ -0,0 +1,21 @@ +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### +--- +security: + - | + Coverity-CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') + Coverity fix for 137960 Filesystem path, filename, or URI manipulation -- 2.25.1