Can the path returned by the ":path" convertor be trusted?

[pythonweb2]

From a security standpoint, is the string returned from the ":path" converter safe to use? E.g. stripped of anything that would allow bad actors to access files they shouldn't?

Flask has this method for sanitizing user provided paths for example: https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename

I would assume it is, from some basic testing it seems to return 404 errors if a user tries to do some stuff with ".." in the path.

If so, it would be nice to call this out in the documentation to let users know that the string already has been sanitized.

[Kludex]

Yes.

[pythonweb2]

Can this be called out in the documentation? I can start a PR if that would help.

[hasansezertasan]

I think there would (or will be) a security vulnerability record if it wasn't. I don't think pointing it out is necessary.

[dokterbob]

Absolutely not. There's no protection whatsoever. It's just like a str except a string won't allow /.

starlette/starlette/convertors.py

Line 33 in 2d0dde8

class PathConvertor(Convertor[str]):

[dokterbob]

Something like this might do the trick:

from starlette.convertors import Convertor, register_url_convertor


class SafeStringConvertor(Convertor):
    regex = r"^[^./\\:*?\"<>|]+$"

    def convert(self, value: str) -> str:
        if not re.match(self.regex, value):
            raise ValueError("Invalid characters in string")
        return value

    def to_string(self, value: str) -> str:
        if not value:
            raise ValueError("Must not be empty")
        if not re.match(self.regex, value):
            raise ValueError("Invalid characters in string")
        return value


register_url_convertor("safe_str", SafeStringConvertor())