SECURITY: Directory Traversal

**Location of vulnerability**: [Line 187 in user.py](https://github.com/meolu/walle-web/blob/f96dc41ed882782d52ec62fddbe0213b8b9158ec/walle/api/user.py#L187)

**Severity**: High ([Similar rating to another similar app/use-case](https://security.snyk.io/vuln/SNYK-PYTHON-KWIK-12704809))

**Description**: The `avatar()` method of `UserAPI()` in `user.py` allows for Directory Traversal and Information Disclosure. The method uses `request.save()` from Flask, but does NOT validate the filename (variable `fname`) for harmful characters first.

**Remediation**: Use `pathlib.Path` and explicit checks to validate `fname` before using. More information on potential implementation found [here](https://systemweakness.com/file-path-traversal-vulnerable-vs-secure-implementation-in-python-b618ddcf597d).



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SECURITY: Directory Traversal #1200

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

SECURITY: Directory Traversal #1200

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions