How to prevent directory traversal attack from Python code

I need to prevent from directory traversal attack from my code using Python. My code is below:

if request.GET.get('param') is not None and request.GET.get('param') != '':
    param = request.GET.get('param')
    startdir = os.path.abspath(os.curdir)
    requested_path = os.path.relpath(param, startdir)
    requested_path = os.path.abspath(requested_path)
    print(requested_path)
    tfile = open(requested_path, 'rb')
    return HttpResponse(content=tfile, content_type="text/plain")

if request.GET.get('param') is not None and request.GET.get('param') != '':

    param = request.GET.get('param')

    startdir = os.path.abspath(os.curdir)

    requested_path = os.path.relpath(param, startdir)

    requested_path = os.path.abspath(requested_path)

    print(requested_path)

    tfile = open(requested_path, 'rb')

    return HttpResponse(content=tfile, content_type="text/plain")

​

Here I need user is running like http://127.0.0.1:8000/createfile/?param=../../../../../../../../etc/passwd this it should prevent the directory traversal attack.

Answer

Suppose the user content is all located in

safe_dir = '/home/saya/server/content/'

safe_dir = '/home/saya/server/content/'

​

Ending with / is important as heinrichj mentions to ensure the check below matches against a specific directory.

You need to verify the final request is in there:

if os.path.commonprefix((os.path.realpath(requested_path),safe_dir)) != safe_dir: 
    #Bad user!

if os.path.commonprefix((os.path.realpath(requested_path),safe_dir)) != safe_dir: 

    #Bad user!

​

If the requested path is allowed to be the save_dir itself, you would also need to allow entry if os.path.realpath(requested_path)+'/' == safe_dir.

I encourage you to make sure all stuff you want accessible by the user in one place.