fix: prevent path traversal in FileClient.upload_file

Aryamanz29 · claude · Aryamanz29 · commit 9f1b9ab6d0fc · 2026-03-06T14:07:25.000+05:30
Add a check for '..' components in the file path passed to
FileUpload.validate_file_path, raising a new INVALID_UPLOAD_FILE_PATH_TRAVERSAL
error (ATLAN-PYTHON-400-077) if detected. Also use Path.resolve() to
normalize the path before opening, preventing directory traversal attacks.

Closes SEC-147

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/pyatlan/client/common/file.py b/pyatlan/client/common/file.py
@@ -1,5 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2025 Atlan Pte. Ltd.
+from pathlib import Path
 from typing import Any
 
 from pyatlan.client.constants import (
@@ -54,10 +55,16 @@ def validate_file_path(file_path: str) -> Any:
 
         :param file_path: path to the file to upload
         :returns: opened file object
+        :raises INVALID_UPLOAD_FILE_PATH_TRAVERSAL: if path traversal is detected
         :raises INVALID_UPLOAD_FILE_PATH: if file not found
         """
+        path = Path(file_path)
+        if ".." in path.parts:
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_TRAVERSAL.exception_with_parameters(
+                file_path
+            )
         try:
-            return open(file_path, "rb")
+            return open(path.resolve(), "rb")
         except FileNotFoundError as err:
             raise ErrorCode.INVALID_UPLOAD_FILE_PATH.exception_with_parameters(
                 str(err.strerror), file_path
diff --git a/pyatlan/errors.py b/pyatlan/errors.py
@@ -675,6 +675,13 @@ class ErrorCode(Enum):
         "Set multi_valued=False when creating rich text attributes.",
         InvalidRequestError,
     )
+    INVALID_UPLOAD_FILE_PATH_TRAVERSAL = (
+        400,
+        "ATLAN-PYTHON-400-077",
+        "Path traversal detected in file path: {0}.",
+        "Ensure the file path does not contain '..' components.",
+        InvalidRequestError,
+    )
     AUTHENTICATION_PASSTHROUGH = (
         401,
         "ATLAN-PYTHON-401-000",
diff --git a/tests/unit/test_file_client.py b/tests/unit/test_file_client.py
@@ -161,6 +161,13 @@ def test_file_client_methods_validation_error(client, method, params):
                 "Error: No such file or directory, Path: some/invalid/file_path.png"
             ),
         ],
+        [
+            "../../etc/passwd",
+            (
+                "ATLAN-PYTHON-400-077 Path traversal detected in file path: "
+                r"\.\.\/\.\.\/etc\/passwd"
+            ),
+        ],
     ],
 )
 def test_file_client_upload_file_raises_invalid_request_error(
