fix: block sensitive file paths in FileClient.upload_file

Aryamanz29 · claude · Aryamanz29 · commit bf487f1aabb4 · 2026-03-06T14:13:40.000+05:30
Extend validate_file_path to reject:
- System directories: /etc/, /proc/, /sys/, /dev/, /root/, macOS equivalents
- Credential directories: .aws, .ssh, .gnupg anywhere in the resolved path
- Environment/secret files: .env, .env.local, .env.production, etc.

Raises new INVALID_UPLOAD_FILE_PATH_SENSITIVE error (ATLAN-PYTHON-400-078)
for all sensitive path matches, in addition to the existing traversal
check (ATLAN-PYTHON-400-077) for '..' components.

Closes SEC-147

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/pyatlan/client/common/file.py b/pyatlan/client/common/file.py
@@ -3,6 +3,23 @@
 from pathlib import Path
 from typing import Any
 
+# System directories that must never be read from
+_SENSITIVE_SYSTEM_PREFIXES = (
+    "/etc/",
+    "/proc/",
+    "/sys/",
+    "/dev/",
+    "/root/",
+    "/private/etc/",  # macOS: /etc is a symlink to /private/etc
+    "/private/var/",  # macOS
+)
+
+# Hidden credential/config directories that must never be read from
+_SENSITIVE_DIR_NAMES = frozenset({".aws", ".ssh", ".gnupg"})
+
+# File name prefixes for environment/secret files
+_SENSITIVE_FILE_PREFIXES = (".env",)
+
 from pyatlan.client.constants import (
     API,
     PRESIGNED_URL,
@@ -56,15 +73,40 @@ def validate_file_path(file_path: str) -> Any:
         :param file_path: path to the file to upload
         :returns: opened file object
         :raises INVALID_UPLOAD_FILE_PATH_TRAVERSAL: if path traversal is detected
+        :raises INVALID_UPLOAD_FILE_PATH_SENSITIVE: if path points to a sensitive location
         :raises INVALID_UPLOAD_FILE_PATH: if file not found
         """
         path = Path(file_path)
+
+        # Block directory traversal via '..'
         if ".." in path.parts:
             raise ErrorCode.INVALID_UPLOAD_FILE_PATH_TRAVERSAL.exception_with_parameters(
                 file_path
             )
+
+        resolved = path.resolve()
+        resolved_str = str(resolved)
+
+        # Block sensitive system directories (e.g. /etc/, /proc/, /dev/)
+        if resolved_str.startswith(_SENSITIVE_SYSTEM_PREFIXES):
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
+                file_path
+            )
+
+        # Block credential/config hidden directories (e.g. .aws, .ssh, .gnupg)
+        if any(part in _SENSITIVE_DIR_NAMES for part in resolved.parts):
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
+                file_path
+            )
+
+        # Block environment/secret files (e.g. .env, .env.local, .env.production)
+        if resolved.name.startswith(_SENSITIVE_FILE_PREFIXES):
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
+                file_path
+            )
+
         try:
-            return open(path.resolve(), "rb")
+            return open(resolved, "rb")
         except FileNotFoundError as err:
             raise ErrorCode.INVALID_UPLOAD_FILE_PATH.exception_with_parameters(
                 str(err.strerror), file_path
diff --git a/pyatlan/errors.py b/pyatlan/errors.py
@@ -682,6 +682,13 @@ class ErrorCode(Enum):
         "Ensure the file path does not contain '..' components.",
         InvalidRequestError,
     )
+    INVALID_UPLOAD_FILE_PATH_SENSITIVE = (
+        400,
+        "ATLAN-PYTHON-400-078",
+        "Access to sensitive file path is not allowed: {0}.",
+        "Ensure the file path does not point to sensitive system files or credential directories.",
+        InvalidRequestError,
+    )
     AUTHENTICATION_PASSTHROUGH = (
         401,
         "ATLAN-PYTHON-401-000",
diff --git a/tests/unit/test_file_client.py b/tests/unit/test_file_client.py
@@ -161,13 +161,41 @@ def test_file_client_methods_validation_error(client, method, params):
                 "Error: No such file or directory, Path: some/invalid/file_path.png"
             ),
         ],
+        # Path traversal
         [
             "../../etc/passwd",
             (
                 "ATLAN-PYTHON-400-077 Path traversal detected in file path: "
                 r"\.\.\/\.\.\/etc\/passwd"
             ),
         ],
+        # Sensitive system files
+        [
+            "/etc/passwd",
+            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+        ],
+        [
+            "/etc/shadow",
+            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+        ],
+        # Credential directories
+        [
+            "/home/user/.aws/credentials",
+            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+        ],
+        [
+            "/home/user/.ssh/id_rsa",
+            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+        ],
+        # Environment files
+        [
+            "/app/.env",
+            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+        ],
+        [
+            "/app/.env.production",
+            "ATLAN-PYTHON-400-078 Access to sensitive file path is not allowed",
+        ],
     ],
 )
 def test_file_client_upload_file_raises_invalid_request_error(
