Skip to content

Commit

Permalink
security
Browse files Browse the repository at this point in the history
  • Loading branch information
heitorpolidoro committed Jan 16, 2024
1 parent ac26510 commit 9b42eba
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion app.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,8 @@ def index():
@app.route("/<path:filename>", methods=["GET"])
def file(filename):
"""Convert a md file into HTML and return it"""
if not filename.endswith(".md") or "/" in filename:
allowed_files = ["README.md", "pull-request.md"]
if filename not in allowed_files:
abort(404)
with open(filename) as f:

Check failure

Code scanning / SonarCloud

I/O function calls should not be vulnerable to path injection attacks High

Change this code to not construct the path from user-controlled data. See more on SonarCloud
md = f.read()
Expand Down

0 comments on commit 9b42eba

Please sign in to comment.