Added File.stream/.stream! to Traversal check

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework

Apache License 2.0

1.66k stars 92 forks source link

Added File.stream/.stream! to Traversal check #151

Closed jcowgar closed 8 months ago

jcowgar commented 8 months ago

stream functions were missing from the File traversal checks. This adds them. Checking for stream is as important as open.

houllette commented 8 months ago

This is a great add - thanks for catching this and opening the PR, @jcowgar!

jcowgar commented 8 months ago

There were a few others missing from the File traversal checks, I was unsure if I should add them all or not. For example, chgrp, rename, rm_rf!, and touch. Also was not sure if ls should be added. You can access the file system that way, but not alter it. Wasn't sure how paranoid the check should be.

Let me know, I'd be happy to open another PR if desired.