Django 已上载文件的读取excel上存在Shiftleft扫描(SLS)漏洞
我正在使用Django开发一个网站,为了安全起见,我们通过shiftleft扫描运行所有内容。该网站允许用户使用excel文件导入“工作分配”。问题是:如何安全地执行此操作,使其符合移位扫描 守则:Django 已上载文件的读取excel上存在Shiftleft扫描(SLS)漏洞,django,pandas,security,file-upload,Django,Pandas,Security,File Upload,我正在使用Django开发一个网站,为了安全起见,我们通过shiftleft扫描运行所有内容。该网站允许用户使用excel文件导入“工作分配”。问题是:如何安全地执行此操作,使其符合移位扫描 守则: class ImportView(generic.FormView): template_name = 'assignments/import.html' form_class = ImportForm success_url = reverse_lazy('assignme
class ImportView(generic.FormView):
template_name = 'assignments/import.html'
form_class = ImportForm
success_url = reverse_lazy('assignment_import')
def post(self, request, *args, **kwargs):
form = self.get_form()
if form.is_valid():
# handle upload here
assignments = pd.read_excel(request.FILES['file'].file)
for i, assignment in assignments.iterrows():
assignment_obj = Assignment()
assignment_obj.name = assignment['name']
assignment_obj.save()
return self.form_valid(form)
else:
return self.form_invalid(form)
SLS返回的电路漏洞:
{
"rule_id": "taint-traversal",
"rule_name": "Directory Traversal",
"severity": "CRITICAL",
"cwe_category": "CWE-22",
"owasp_category": "a5-broken-access-control",
"source": {
"label": "request",
"line_number": 188,
"path": "/app/survey/views.py"
},
"source_trigger_word": "Framework function URL parameter",
"source_type": "Framework_Parameter",
"sink": {
"label": "~call_2 = ret_pandas.read_excel(request.FILES[file].file, ...",
"line_number": 196,
"path": "/app/survey/views.py"
},
"sink_trigger_word": "read_excel(",
"sink_type": "Exfiltration",
"type": "Vulnerability",
"reassignment_nodes": [],
"description": "Exfiltration of data (Path Traversal) due to user data from `request in views.py:188` influencing file operations in `views.py:196`.",
"short_description": "Exfiltration of data (Path Traversal) due to user data from `request in views.py:188` influencing file operations in `views.py:196`."
},
我的媒体根目录设置如下(从settings.py,我意识到将pathlib.Path与os.Path混合使用,我将很快清理):
你知道如何让它安全工作吗
MEDIA_ROOT = os.getenv('MEDIA_ROOT', Path(os.path.join(Path(__file__).resolve().parent, 'uploads')).resolve())