Sanitizing a file path in python

Question

I have a file browser application that exposes a directory and its contents to the users.

I want to sanitize the user input, which is a file path, so that it does not allow absolute paths such as '/tmp/' and relative paths such as '../../etc'

Is there a python function that does this across platforms?

Answer 1

Also for people searching for a way to get rid of A/./B -> A/B and A/B/../C -> A/C in paths. You can use os.path.normpath for that.

Answer 2

A comprehensive filepath sanitiser for python

I wasn't really satisfied with any of the available methods for sanitising a path, so I wrote my own, relatively comprehensive path sanitiser. This is suitable* for taking input from a public endpoint (http upload, REST endpoint, etc) and ensuring that if you save data at the resulting file path, it will not damage your system**. (Note: this code targets Python 3+, you'll probably need to make some changes to make it work on 2.x)

* No guarantees! Please don't rely on this code without checking it thoroughly yourself.

** Again, no guarantees! You could still do something crazy and set your root path on a *nix system to /dev/ or /bin/ or something like that. Don't do that. There are also some edge cases on Windows that could cause damage (device file names, for example), you could check the secure_filename method from werkzeug's utils for a good start on dealing with these if you're targeting Windows.

How it works

• You need to specify a root path, the sanitiser will ensure that all paths returned are under this root. Check the get_root_path function for where to do this. Make sure the value for the root path is from your own configuration, not input from the user!
• There is a file name sanitiser which:
  • Converts unicode to ASCII
  • Converts path separators to underscores
  • Only allows certain characters from a whitelist in the file name. The whitelist includes all lower and uppercase letters, all digits, the hyphen, the underscore, the space, opening and closing round brackets and the full stop character (period). You can customise this whitelist if you want to.
  • Ensures all names have at least one letter or number (to avoid names like '..')
• To get a valid file path, you should call make_valid_file_path. You can optionally pass it a subdirectory path in the path parameter. This is the path underneath the root path, and can come from user input. You can optionally pass it a file name in the filename parameter, this can also come from user input. Any path information in the file name you pass will not be used to determine the path of the file, instead it will be flattened into valid, safe components of the file's name.
  • If there is no path or filename, it will return the root path, correctly formatted for the host file system, with a trailing path separator (/).
  • If there is a subdirectory path, it will split it into its component parts, sanitising each with the file name sanitiser and rebuilding the path without a leading path separator.
  • If there is a file name, it will sanitise the name with the sanitiser.
  • It will os.path.join the path components to get a final path to your file.
  • As a final double-check that the resulting path is valid and safe, it checks that the resulting path is somewhere under the root path. This check is done properly by splitting up and comparing the component parts of the path, rather than just ensuring one string starts with another.

OK, enough warnings and description, here's the code:

import os

def ensure_directory_exists(path_directory):
    if not os.path.exists(path_directory):
        os.makedirs(path_directory)

def os_path_separators():
    seps = []
    for sep in os.path.sep, os.path.altsep:
        if sep:
            seps.append(sep)
    return seps

def sanitise_filesystem_name(potential_file_path_name):
    # Sort out unicode characters
    valid_filename = normalize('NFKD', potential_file_path_name).encode('ascii', 'ignore').decode('ascii')
    # Replace path separators with underscores
    for sep in os_path_separators():
        valid_filename = valid_filename.replace(sep, '_')
    # Ensure only valid characters
    valid_chars = "-_.() {0}{1}".format(string.ascii_letters, string.digits)
    valid_filename = "".join(ch for ch in valid_filename if ch in valid_chars)
    # Ensure at least one letter or number to ignore names such as '..'
    valid_chars = "{0}{1}".format(string.ascii_letters, string.digits)
    test_filename = "".join(ch for ch in potential_file_path_name if ch in valid_chars)
    if len(test_filename) == 0:
        # Replace empty file name or file path part with the following
        valid_filename = "(Empty Name)"
    return valid_filename

def get_root_path():
    # Replace with your own root file path, e.g. '/place/to/save/files/'
    filepath = get_file_root_from_config()
    filepath = os.path.abspath(filepath)
    # ensure trailing path separator (/)
    if not any(filepath[-1] == sep for sep in os_path_separators()):
        filepath = '{0}{1}'.format(filepath, os.path.sep)
    ensure_directory_exists(filepath)
    return filepath

def path_split_into_list(path):
    # Gets all parts of the path as a list, excluding path separators
    parts = []
    while True:
        newpath, tail = os.path.split(path)
        if newpath == path:
            assert not tail
            if path and path not in os_path_separators():
                parts.append(path)
            break
        if tail and tail not in os_path_separators():
            parts.append(tail)
        path = newpath
    parts.reverse()
    return parts

def sanitise_filesystem_path(potential_file_path):
    # Splits up a path and sanitises the name of each part separately
    path_parts_list = path_split_into_list(potential_file_path)
    sanitised_path = ''
    for path_component in path_parts_list:
        sanitised_path = '{0}{1}{2}'.format(sanitised_path, sanitise_filesystem_name(path_component), os.path.sep)
    return sanitised_path

def check_if_path_is_under(parent_path, child_path):
    # Using the function to split paths into lists of component parts, check that one path is underneath another
    child_parts = path_split_into_list(child_path)
    parent_parts = path_split_into_list(parent_path)
    if len(parent_parts) > len(child_parts):
        return False
    return all(part1==part2 for part1, part2 in zip(child_parts, parent_parts))

def make_valid_file_path(path=None, filename=None):
    root_path = get_root_path()
    if path:
        sanitised_path = sanitise_filesystem_path(path)
        if filename:
            sanitised_filename = sanitise_filesystem_name(filename)
            complete_path = os.path.join(root_path, sanitised_path, sanitised_filename)
        else:
            complete_path = os.path.join(root_path, sanitised_path)
    else:
        if filename:
            sanitised_filename = sanitise_filesystem_name(filename)
            complete_path = os.path.join(root_path, sanitised_filename)
        else:
            complete_path = complete_path
    complete_path = os.path.abspath(complete_path)
    if check_if_path_is_under(root_path, complete_path):
        return complete_path
    else:
        return None

Answer 3

This will prevent the user inputting filenames like ../../../../etc/shadow but will also not allow files in subdirs below basedir (i.e. basedir/subdir/moredir is blocked):

from pathlib import Path
test_path = (Path(basedir) / user_input).resolve()
if test_path.parent != Path(basedir).resolve():
    raise Exception(f"Filename {test_path} is not in {Path(basedir)} directory")

If you want to allow subdirs below basedir:

if not Path(basedir).resolve() in test_path.resolve().parents:
    raise Exception(f"Filename {test_path} is not in {Path(basedir)} directory")

Answer 4

I ended up here looking for a quick way to handle my use case and ultimately wrote my own. What I needed was a way to take in a path and force it to be in the CWD. This is for a CI system working on mounted files.

def relative_path(the_path: str) -> str:
    '''
    Force the spec path to be relative to the CI workspace
    Sandboxes the path so that you can't escape out of CWD
    '''
    # Make the path absolute
    the_path = os.path.abspath(the_path)
    # If it started with a . it'll now be /${PWD}/
    # We'll get the path relative to cwd
    if the_path.startswith(os.getcwd()):
        the_path = '{}{}'.format(os.sep, os.path.relpath(the_path))
    # Prepend the path with . and it'll now be ./the/path
    the_path = '.{}'.format(the_path)
    return the_path

In my case I didn't want to raise an exception. I just want to force that any path given will become an absolute path in the CWD.

Tests:

def test_relative_path():
    assert relative_path('../test') == './test'
    assert relative_path('../../test') == './test'
    assert relative_path('../../abc/../test') == './test'
    assert relative_path('../../abc/../test/fixtures') == './test/fixtures'
    assert relative_path('../../abc/../.test/fixtures') == './.test/fixtures'
    assert relative_path('/test/foo') == './test/foo'
    assert relative_path('./test/bar') == './test/bar'
    assert relative_path('.test/baz') == './.test/baz'
    assert relative_path('qux') == './qux'

Answer 5

This is an improvement on @mneil's solution, using relpath's secret second argument:

import os.path

def sanitize_path(path):
    """
    Sanitize a path against directory traversals

    >>> sanitize_path('../test')
    'test'
    >>> sanitize_path('../../test')
    'test'
    >>> sanitize_path('../../abc/../test')
    'test'
    >>> sanitize_path('../../abc/../test/fixtures')
    'test/fixtures'
    >>> sanitize_path('../../abc/../.test/fixtures')
    '.test/fixtures'
    >>> sanitize_path('/test/foo')
    'test/foo'
    >>> sanitize_path('./test/bar')
    'test/bar'
    >>> sanitize_path('.test/baz')
    '.test/baz'
    >>> sanitize_path('qux')
    'qux'
    """
    # - pretending to chroot to the current directory
    # - cancelling all redundant paths (/.. = /)
    # - making the path relative
    return os.path.relpath(os.path.normpath(os.path.join("/", path)), "/")

if __name__ == '__main__':
    import doctest
    doctest.testmod()

Answer 6

To be very specific to the question asked but raise an exception rather than converting the path to relative:

path = 'your/path/../../to/reach/root'
if '../' in path or path[:1] == '/':
    raise Exception

Answer 7

Adding to @Åsmund 's answer, but using only os library. When the file is in one of the sub directory of the base directory and the sub-directory is derived from user input at runtime, the filename must be prefixed with the subdirectory path like subdir1/subdir2/image.jpg and subdir_allowed is set True

import os

def sanitize_path(basepath:str, filename:str, subdir_allowed:bool) -> str:
    # basepath should be absolute. Example: '/app/public'
    # filename is relative to base. Example: 'image.jpg' or 'subdir1/subdir2/image.jpg' when subdir_allowed=True
    
    filepath = os.path.join(basepath, filename)
    # filepath will look like '/app/public/../../usr/secret.txt
    real_filepath = os.path.realpath(filepath) # resolves symbolic links and /../
    # real_filepath will look like '/usr/secret.txt'

    if subdir_allowed:
        prefix = os.path.commonpath((basepath, real_filepath))
    else:
        prefix = os.path.dirname(real_filepath) #directory of the file

    if prefix == basepath:
        return real_filepath
    else:
        raise Exception('Target file is not in the allowed base path')

Note: filename can't start with '/' and basepath must always start with '/'