-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web UI dataset #617
base: main
Are you sure you want to change the base?
Web UI dataset #617
Conversation
# Conflicts: # cli/medperf/commands/list.py # cli/medperf/entities/benchmark.py # cli/medperf/entities/cube.py # cli/medperf/entities/dataset.py # cli/medperf/entities/interface.py
MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅ |
full_path = os.path.join(BASE_DIR, path) | ||
os.path.join(BASE_DIR, path) | ||
|
||
if not os.path.exists(full_path) or not os.path.isdir(full_path): |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
user-provided value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function lists all files and folders on the server side. So, yes, it is expected to use user's given path to list its content (though still may be dangerous? I don't know)
full_path = os.path.join(BASE_DIR, path) | ||
os.path.join(BASE_DIR, path) | ||
|
||
if not os.path.exists(full_path) or not os.path.isdir(full_path): |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
user-provided value
|
||
# List directories inside the path | ||
folders = [] | ||
for item in os.listdir(full_path): |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
user-provided value
folders = [] | ||
for item in os.listdir(full_path): | ||
item_path = os.path.join(full_path, item) | ||
if os.path.isdir(item_path): |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
user-provided value
@router.get("/fetch-yaml") | ||
async def fetch_yaml(url: str): | ||
try: | ||
response = requests.get(url) |
Check failure
Code scanning / CodeQL
Full server-side request forgery Critical
No description provided.