Python File handling / path bugs for /packagehandlers/pythonpackagehandler.go #1029
Description
Describe the bug
Bug 1: Path validation checks one path but reads another
Description
tryReadRequirementFile() validates fullPath (constructed from wd + file) but then reads filepath.Clean(file) instead of fullPath.
As a result, the path being validated and the path being read may differ.
Impact
- File validation can pass while a different file is actually read.
- Leads to incorrect file access and unpredictable behavior depending on the working directory.
Code Reference
fullPath := filepath.Join(wd, file)
...
data, err := os.ReadFile(filepath.Clean(file))Suggested Fix
Read from the validated path:
os.ReadFile(fullPath)Current behavior
The code validates a constructed absolute path (wd + file) to ensure it stays within the working directory, but then ignores that validated path and reads the file using a cleaned relative path instead. As a result, the validation does not actually protect the file read.
Reproduction steps
Run as is
Expected behavior
The code should read the exact same path it validated. If the validated path is rejected, no read should occur. File reads/writes must be consistent with the validated canonical path.
JFrog Frogbot version
LATEST
Package manager info
python
Git provider
GitHub
JFrog Frogbot configuration yaml file
The default one that get's installed.
Operating system type and version
ALL
JFrog Xray version
LATEST