Description of the false positive
The rule does not cover using basename to mitigate the path injection.
This is a common mitigation, and here is an open-source code that uses such a sanitizer:
https://github.com/tok41/ChocoBallDetector/blob/727ad9845f8df26daa95b8ce1597d59ea2ba0185/app.py#L74
CodeQL will raise an alarm on Line 74.
Here is a simplified minimal example:
from flask import Flask, request, send_file # $ Source
import os
app = Flask(__name__)
STATIC_DIR = "/server/static/"
@app.route("/download-secure")
def download_secure():
filename = request.args.get('filename', '')
# Secure mitigation pattern: sanitize filename to prevent traversal
path = os.path.join(STATIC_DIR, os.path.basename(filename))
return send_file(path) # $ result=OK
Description of the false positive
The rule does not cover using
basenameto mitigate the path injection.This is a common mitigation, and here is an open-source code that uses such a sanitizer:
https://github.com/tok41/ChocoBallDetector/blob/727ad9845f8df26daa95b8ce1597d59ea2ba0185/app.py#L74
CodeQL will raise an alarm on Line 74.
Here is a simplified minimal example: