Original Post: Flask check: send_file() with a file handle
Summary by Grayson Hardaway, Engineering @ r2c
Background:
At r2c, the mission is to improve software security and reliability to safeguard human progress by developing custom program analysis checks made available through Bento, a developer tool for bug detection. These checks include integrated tools like Flake8, Bandit, and ESLint, and initially focus on web frameworks like Flask, Requests, and AWS SDK for Python (Boto).
The Problem:
One identified issue involves Flask’s send_file function which throws a ValueError unless a filename or mimetype is provided. This behavior change from Flask version 0.12 means that the framework no longer infers mimetype for file-like objects, and the custom check in Bento detects improper use of open(filename, 'r') passed to flask.send_file() without necessary keyword arguments.
Is This Check Any Good?:
Using r2c’s analysis platform, the check was tested on 1.2k Flask-using repositories on GitHub, initially yielding false positives which were adjusted. The final check detected 109 instances across 15 repositories, helping catch errors early in development. The check is available by default in Bento as of version 0.6.
Examples:
The check identifies cases where send_file is used without keyword arguments but considers cases with string arguments, mimetype, and attachment_filename as acceptable.
References:
- Flask issue related to
send_filechanges. - Flask PR related to
send_fileimprovements. - Flask upgrade instructions.
Go here to read the Original Post