Is it unsafe to use Flask's route converters?

Question

I have a set of static data files on my server, which are named something like;

file1.dat
file2.dat
file3.dat
...

I'm trying to serve these via an endpoint in my Flask app. Right now, I'm doing the following;

STATIC_DIRECTORY = Path("static/directory/location/on/my/server")
@app.route("/fetch_data/<file_number>", methods=["GET"])
def fetch_data(file_number: int) -> str:
    file_loc = STATIC_DIRECTORY / f"file{file_number}.dat"
    return file_loc.read_text()

Is it safe for me to use file_number in this way, or will it expose me to attacks similar to SQL injection?

score 1 · Accepted Answer · answered Mar 15 '20 at 16:49

1

I don't think having the type annotation : int on the function has any effect.

@app.route("/fetch_data/<int:file_number>", methods=["GET"])

would enable the int converter ... but if you want to be extra safe, instead of

f"file{file_number}.dat"

you can do

f"file{int(file_number)}.dat"

answered Mar 15 '20 at 16:49

AKX

152,115
15
115
172

oh fantastic, I didn't realise that Flask had typing built in to the converters like that. Thanks so much! – jimbarrett27 Mar 15 '20 at 16:52

Is it unsafe to use Flask's route converters?

1 Answers1