From: k4.rahul <rahul.k4@tataelxsi.co.in>
Date: Fri, 5 May 2023 08:48:47 +0000 (+0530)
Subject: Coverity-CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path... 
X-Git-Tag: release-v14.0-start~2
X-Git-Url: https://osm.etsi.org/gitweb/?p=osm%2Fcommon.git;a=commitdiff_plain;h=8f3ab9a82608ffe74e6fd5d0c532822412dbc88a

Coverity-CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Coverity fix for 137960 Filesystem path, filename, or URI manipulation

Change-Id: I0691a9f231d6b7019fe413c261f50262ea7fb923
Signed-off-by: k4.rahul <rahul.k4@tataelxsi.co.in>
---

diff --git a/osm_common/fsmongo.py b/osm_common/fsmongo.py
index 4f4e5eb..2e47039 100644
--- a/osm_common/fsmongo.py
+++ b/osm_common/fsmongo.py
@@ -235,7 +235,9 @@ class FsMongo(FsBase):
                     if e.errno != errno.ENOENT:
                         # This is probably permission denied or worse
                         raise
-                os.symlink(link, file_path)
+                os.symlink(
+                    link, os.path.realpath(os.path.normpath(os.path.abspath(file_path)))
+                )
             else:
                 folder = os.path.dirname(file_path)
                 if folder not in valid_paths:
diff --git a/releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml b/releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml
new file mode 100644
index 0000000..9eb9a90
--- /dev/null
+++ b/releasenotes/notes/fix_cwe22-c2677929fb74c79d.yaml
@@ -0,0 +1,21 @@
+#######################################################################################
+# Copyright ETSI Contributors and Others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#######################################################################################
+---
+security:
+  - |
+    Coverity-CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
+    Coverity fix for 137960 Filesystem path, filename, or URI manipulation