Sobelow.Misc.FilePath (Sobelow v0.11.1) View Source
Note: This check has been deprecated. File/Path issues were addressed with the release of OTP 21.
user_input = "/var/www/secret.txt\0/name" path = Path.dirname(user_input) public_file = path <> "/public.txt" File.read(public_file)
Path functions are not null-terminated, this
will attempt to read the file, "/var/www/secret.txt\0/public.txt".
However, due to the null-byte termination of
"secret.txt" will ultimately be read.
File/Path checks can be ignored with the following command:
$ mix sobelow -i Misc.FilePath