From 1c1d6bd29b713659f9e2d185cabe950c9f16ea1d Mon Sep 17 00:00:00 2001 From: marcsello Date: Fri, 27 Nov 2020 16:01:23 +0100 Subject: [PATCH] Fixed security issues --- caff_previewer_wrapper/app.py | 2 +- caff_previewer_wrapper/converter.py | 9 +++++++-- caff_previewer_wrapper/utils.py | 4 ++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/caff_previewer_wrapper/app.py b/caff_previewer_wrapper/app.py index 65e27cb..98188a7 100644 --- a/caff_previewer_wrapper/app.py +++ b/caff_previewer_wrapper/app.py @@ -73,4 +73,4 @@ def perform_conversion(): if __name__ == '__main__': - app.run(debug=True) + app.run(debug=True) # nosec: app only launches in debug mode... if it's launched in developement mode diff --git a/caff_previewer_wrapper/converter.py b/caff_previewer_wrapper/converter.py index 8382f0d..4ec7b28 100644 --- a/caff_previewer_wrapper/converter.py +++ b/caff_previewer_wrapper/converter.py @@ -1,4 +1,5 @@ -import subprocess +import os.path +import subprocess # nosec: That's the whole point of this application from flask import current_app import werkzeug.exceptions @@ -11,11 +12,15 @@ def run_abstract_converter(converter: str, source: str, destination: str) -> int :param destination: destination file :returns: exitcode of the converter """ - completed_process = subprocess.run([converter, source, destination], + if not (os.path.isfile(source) and os.path.isfile(converter)): + raise FileNotFoundError("Source or converter binary does not exists") + + completed_process = subprocess.run([converter, source, destination], # nosec: Concerning arguments checked above timeout=current_app.config['CONVERSION_TIMEOUT'], env={}) return completed_process.returncode + def convert_caff_to_tga(source: str, destination: str): """ This function uses caff_previewer to convert a CAFF file into a TGA file diff --git a/caff_previewer_wrapper/utils.py b/caff_previewer_wrapper/utils.py index 63d586f..62774a0 100644 --- a/caff_previewer_wrapper/utils.py +++ b/caff_previewer_wrapper/utils.py @@ -5,7 +5,7 @@ import hashlib def write_file_to_fd_while_calculating_md5(fd: int) -> str: chunksize = current_app.config['RECIEVE_CHUNKSIZE'] - m = hashlib.md5() + m = hashlib.md5() # nosec: md5 is used only for integrity checking here total_recieved = 0 @@ -28,7 +28,7 @@ def write_file_to_fd_while_calculating_md5(fd: int) -> str: def create_md5_sum_for_file(fname): - m = hashlib.md5() + m = hashlib.md5() # nosec: md5 is used only for integrity checking here with open(fname, "rb") as f: for chunk in iter(lambda: f.read(4096), b""):