Merge pull request #824 from atlanhq/SEC-147

SEC-147 | Bock sensitive file paths in `FileClient.upload_file()`

Author: Aryamanz29

.pre-commit-config.yaml

@@ -3,9 +3,11 @@ repos:
     rev: v6.0.0
     hooks:
       - id: check-yaml
+        exclude: ^\.github/workflows/
       - id: end-of-file-fixer
       - id: trailing-whitespace
       - id: debug-statements
+        exclude: ^pyatlan_v9/model/assets/_overlays/
 
   # Use uv to run formatting and QA tools
   - repo: https://github.com/astral-sh/ruff-pre-commit

pyatlan/client/common/file.py

@@ -1,5 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2025 Atlan Pte. Ltd.
+import os
+from pathlib import Path
 from typing import Any
 
 from pyatlan.client.constants import (
@@ -13,6 +15,28 @@
 from pyatlan.errors import ErrorCode
 from pyatlan.model.file import CloudStorageIdentifier, PresignedURLRequest
 
+# System directories that must never be read from.
+_SENSITIVE_SYSTEM_PREFIXES = (
+    "/etc/",
+    "/proc/",
+    "/sys/",
+    "/dev/",
+    "/root/",
+    "/private/etc/",  # macOS: /etc is a symlink to /private/etc
+    "/private/var/",  # macOS
+)
+
+# Hidden credential/config directories that must never be read from.
+_SENSITIVE_DIR_NAMES = frozenset({".aws", ".ssh", ".gnupg"})
+
+# File name prefixes for environment/secret files.
+_SENSITIVE_FILE_PREFIXES = (".env",)
+
+
+def _parse_env_list(env_var: str) -> list:
+    val = os.environ.get(env_var, "")
+    return [p.strip() for p in val.split(",") if p.strip()] if val else []
+
 
 class FilePresignedUrl:
     """
@@ -54,10 +78,52 @@ def validate_file_path(file_path: str) -> Any:
 
         :param file_path: path to the file to upload
         :returns: opened file object
+        :raises INVALID_UPLOAD_FILE_PATH_TRAVERSAL: if path traversal is detected
+        :raises INVALID_UPLOAD_FILE_PATH_SENSITIVE: if path points to a sensitive location
         :raises INVALID_UPLOAD_FILE_PATH: if file not found
         """
+        path = Path(file_path)
+
+        # Block directory traversal via '..'
+        if ".." in path.parts:
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_TRAVERSAL.exception_with_parameters(
+                file_path
+            )
+
+        resolved = path.resolve()
+        resolved_str = str(resolved)
+
+        # Block sensitive system directories (e.g. /etc/, /proc/, /dev/)
+        if resolved_str.startswith(_SENSITIVE_SYSTEM_PREFIXES):
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
+                file_path
+            )
+
+        # Block credential/config hidden directories (e.g. .aws, .ssh, .gnupg)
+        if any(part in _SENSITIVE_DIR_NAMES for part in resolved.parts):
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
+                file_path
+            )
+
+        # Block environment/secret files (e.g. .env, .env.local, .env.production)
+        if resolved.name.startswith(_SENSITIVE_FILE_PREFIXES):
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
+                file_path
+            )
+
+        # Block user-defined paths via PYATLAN_UPLOAD_FILE_BLOCKED_PATHS (comma-separated).
+        # Each entry is matched as a substring against the full resolved path, so it
+        # can express system prefixes ("/vault/"), dir names (".vault"), or
+        # file prefixes (".credentials").
+        # e.g. PYATLAN_UPLOAD_FILE_BLOCKED_PATHS="/custom/secrets/,.vault,.credentials"
+        user_blocked = _parse_env_list("PYATLAN_UPLOAD_FILE_BLOCKED_PATHS")
+        if any(pattern in resolved_str for pattern in user_blocked):
+            raise ErrorCode.INVALID_UPLOAD_FILE_PATH_SENSITIVE.exception_with_parameters(
+                file_path
+            )
+
         try:
-            return open(file_path, "rb")
+            return open(resolved, "rb")
         except FileNotFoundError as err:
             raise ErrorCode.INVALID_UPLOAD_FILE_PATH.exception_with_parameters(
                 str(err.strerror), file_path

pyatlan/errors.py

@@ -675,6 +675,20 @@ class ErrorCode(Enum):
         "Set multi_valued=False when creating rich text attributes.",
         InvalidRequestError,
     )
+    INVALID_UPLOAD_FILE_PATH_TRAVERSAL = (
+        400,
+        "ATLAN-PYTHON-400-077",
+        "Path traversal detected in file path: {0}.",
+        "Ensure the file path does not contain '..' components.",
+        InvalidRequestError,
+    )
+    INVALID_UPLOAD_FILE_PATH_SENSITIVE = (
+        400,
+        "ATLAN-PYTHON-400-078",
+        "Access to blocked file path is not allowed: {0}.",
+        "Ensure the file path does not point to a blocked location (system files, credential directories, or paths defined in PYATLAN_UPLOAD_FILE_BLOCKED_PATHS).",
+        InvalidRequestError,
+    )
     AUTHENTICATION_PASSTHROUGH = (
         401,
         "ATLAN-PYTHON-401-000",

pyatlan_v9/model/assets/_init_adf.py

@@ -8,6 +8,12 @@
 This module provides convenient imports for all ADF types and their Related variants.
 """
 
+from .adf import ADF
+from .adf_activity import AdfActivity
+from .adf_dataflow import AdfDataflow
+from .adf_dataset import AdfDataset
+from .adf_linkedservice import AdfLinkedservice
+from .adf_pipeline import AdfPipeline
 from .adf_related import (
     RelatedADF,
     RelatedAdfActivity,
@@ -16,12 +22,6 @@
     RelatedAdfLinkedservice,
     RelatedAdfPipeline,
 )
-from .adf import ADF
-from .adf_activity import AdfActivity
-from .adf_dataflow import AdfDataflow
-from .adf_dataset import AdfDataset
-from .adf_linkedservice import AdfLinkedservice
-from .adf_pipeline import AdfPipeline
 
 __all__ = [
     "ADF",

pyatlan_v9/model/assets/_init_adls.py

@@ -8,16 +8,16 @@
 This module provides convenient imports for all ADLS types and their Related variants.
 """
 
+from .adls import ADLS
+from .adls_account import ADLSAccount
+from .adls_container import ADLSContainer
+from .adls_object import ADLSObject
 from .adls_related import (
     RelatedADLS,
     RelatedADLSAccount,
     RelatedADLSContainer,
     RelatedADLSObject,
 )
-from .adls import ADLS
-from .adls_account import ADLSAccount
-from .adls_container import ADLSContainer
-from .adls_object import ADLSObject
 
 __all__ = [
     "ADLS",

pyatlan_v9/model/assets/_init_ai.py

@@ -8,16 +8,16 @@
 This module provides convenient imports for all AI types and their Related variants.
 """
 
+from .ai import AI
+from .ai_application import AIApplication
+from .ai_model import AIModel
+from .ai_model_version import AIModelVersion
 from .ai_related import (
     RelatedAI,
     RelatedAIApplication,
     RelatedAIModel,
     RelatedAIModelVersion,
 )
-from .ai import AI
-from .ai_application import AIApplication
-from .ai_model import AIModel
-from .ai_model_version import AIModelVersion
 
 __all__ = [
     "AI",

pyatlan_v9/model/assets/_init_airflow.py

@@ -8,13 +8,9 @@
 This module provides convenient imports for all Airflow types and their Related variants.
 """
 
-from .airflow_related import (
-    RelatedAirflow,
-    RelatedAirflowDag,
-    RelatedAirflowTask,
-)
 from .airflow import Airflow
 from .airflow_dag import AirflowDag
+from .airflow_related import RelatedAirflow, RelatedAirflowDag, RelatedAirflowTask
 from .airflow_task import AirflowTask
 
 __all__ = [

pyatlan_v9/model/assets/_init_anaplan.py

@@ -8,6 +8,14 @@
 This module provides convenient imports for all Anaplan types and their Related variants.
 """
 
+from .anaplan import Anaplan
+from .anaplan_app import AnaplanApp
+from .anaplan_dimension import AnaplanDimension
+from .anaplan_line_item import AnaplanLineItem
+from .anaplan_list import AnaplanList
+from .anaplan_model import AnaplanModel
+from .anaplan_module import AnaplanModule
+from .anaplan_page import AnaplanPage
 from .anaplan_related import (
     RelatedAnaplan,
     RelatedAnaplanApp,
@@ -21,14 +29,6 @@
     RelatedAnaplanView,
     RelatedAnaplanWorkspace,
 )
-from .anaplan import Anaplan
-from .anaplan_app import AnaplanApp
-from .anaplan_dimension import AnaplanDimension
-from .anaplan_line_item import AnaplanLineItem
-from .anaplan_list import AnaplanList
-from .anaplan_model import AnaplanModel
-from .anaplan_module import AnaplanModule
-from .anaplan_page import AnaplanPage
 from .anaplan_system_dimension import AnaplanSystemDimension
 from .anaplan_view import AnaplanView
 from .anaplan_workspace import AnaplanWorkspace

pyatlan_v9/model/assets/_init_anomalo.py

@@ -8,12 +8,9 @@
 This module provides convenient imports for all Anomalo types and their Related variants.
 """
 
-from .anomalo_related import (
-    RelatedAnomalo,
-    RelatedAnomaloCheck,
-)
 from .anomalo import Anomalo
 from .anomalo_check import AnomaloCheck
+from .anomalo_related import RelatedAnomalo, RelatedAnomaloCheck
 
 __all__ = [
     "Anomalo",

pyatlan_v9/model/assets/_init_api.py

@@ -8,6 +8,11 @@
 This module provides convenient imports for all API types and their Related variants.
 """
 
+from .api import API
+from .api_field import APIField
+from .api_object import APIObject
+from .api_path import APIPath
+from .api_query import APIQuery
 from .api_related import (
     RelatedAPI,
     RelatedAPIField,
@@ -16,11 +21,6 @@
     RelatedAPIQuery,
     RelatedAPISpec,
 )
-from .api import API
-from .api_field import APIField
-from .api_object import APIObject
-from .api_path import APIPath
-from .api_query import APIQuery
 from .api_spec import APISpec
 
 __all__ = [