CalvinBackup/erpnext
1
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-02-12 17:23:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated Code Security Guidelines (markdown)

Ankush Menat
2023-12-27 13:33:26 +05:30
parent f59952a31e
commit cb8e13c45a
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Code-Security-Guidelines.md

@@ -113,4 +113,12 @@ If you're reading or writing to a file and user can somehow control the file pat
- Use "File" doctype API wherever possible to create files and read content. File doctype ensures that whatever you're reading and writing belongs to the site.
- If it's not possible and you're accepting user input in any way make sure the path is:
- not traversing back using /../../
- In site's folder and not somewhere else.
- In site's folder and not somewhere else.
Example:
```python
@frappe.whitelist()
def get_file(path):
return open(path).read() # This allows reading everything on server.
```