External Control of File Name or Path
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-73: External Control of File Name or Path |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Passing user-controlled input directly to the send_file method can let attackers request and download sensitive files from your server. Always validate or sanitize user input before using it with file-serving functions.
Impact#
If exploited, an attacker could access files outside the intended directory, such as configuration files or application secrets, leading to data breaches or compromise of the entire server. This can expose sensitive information and put the application and its users at risk.