SCP12 File and Memory Management

What this means

SiteShadow flagged file-handling and memory-safety patterns that can lead to data exposure, tampering, or availability issues (path manipulation, unsafe temp files, unsafe parsing, unbounded reads).

Why it matters

File and memory issues commonly become:

Path traversal and file disclosure (see CWE-22 / CWE-73).
Symlink/TOCTOU attacks when writing to predictable paths (see CWE-61 / CWE-362).
DoS from loading huge files into memory (see CWE-419 / CWE-400).

Safer examples

1) Enforce base directories for file access (Python)

from pathlib import Path

base = Path("/srv/uploads").resolve()
candidate = (base / filename).resolve()
if base not in candidate.parents:
    raise ValueError("Invalid path")

2) Use safe temp files

Use OS-managed temp APIs and avoid predictable filenames.

3) Stream large files instead of reading into memory

Process uploads/downloads in chunks; set size limits (see INPUT01-02).

How SiteShadow detects it (high level)

Detects file operations influenced by untrusted input and missing base-dir enforcement.
Flags unbounded reads/parsing patterns and risky temp file usage.

References

OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/

---

← Back to Vulnerability Library

Request access View coverage