Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add to pyguide.md point about checking symbolic links #3153

Merged
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions docs/styleguide/PyGuide.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@
- [6.3 Folder structure](#63-folder-structure)
- [6.4 Test runtime considerations](#64-test-runtime-considerations)
- [6.5 BKC management](#65-bkc-management)
- [7 SDL rules](#s7-sdl-rules)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think external developers know what is SDL. Either explain the abbreviation or just call it "Security rules"

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed sdl to security

- [7.1 Symlinks](#71-symlinks)

</details>

Expand Down Expand Up @@ -965,3 +967,46 @@ Good:
```bash
torch==2.1.0
```

<a id="s7-sdl-rules"></a>
<a id="7-sdl-rules"></a>
<a id="sdl-rules"></a>

## 7 SDL rules

<a id="s71-symlinks"></a>
<a id="71-symlinks"></a>
<a id="symlinks"></a>

### 7.1 Symlinks

The software attempts to access a file based on the filename, but it does not properly prevent that filename from
identifying a hard or symlinks that resolves to an unintended recourses.

Check for existence if file before opening or creating them:

- If they already exists, make sure they are neither symbolic links nor hard links, unless it is an expected requirement of the application.
- If a symlink is expected, check the target of the symlink to make sure it is pointing to an expected path before any other action.

Bad:

```python
with open(file_path) as f:
loaded_json = json.load(f)
```

Good:

```python
from nncf.common.utils.os import safe_open
...
with safe_open(file_path) as f:
loaded_json = json.load(f)
```

```python
from nncf.common.utils.os import fail_if_symlink
...
fail_if_symlink(file_path)
function_to_save_or_read_file(file_path)
```