Correct errors

Author: johnsamuelwrites

backend/shexstatements/shexfromcsv.py

@@ -7,6 +7,7 @@
 import csv
 import re
 from io import StringIO
+import os
 
 from shexstatements.shexstatementsparser import ShExStatementLexerParser
 
@@ -70,28 +71,46 @@ def generate_shex_from_csv(filepath, delim=",", skip_header=False, filename=True
             pattern = r'^\s*$'
             data = ""
             if filename:
-                csvfile = open(filepath)
-                csvreader = csv.reader(csvfile, delimiter=delim)
+                normalized_path = os.path.normpath(filepath.strip())
+                if not normalized_path:
+                    raise ValueError("Empty filename is not allowed")
+                if os.path.isabs(normalized_path):
+                    raise ValueError("Absolute paths are not allowed")
+                if normalized_path == ".." or normalized_path.startswith(".." + os.path.sep):
+                    raise ValueError("Path traversal is not allowed")
+                with open(normalized_path, "r") as csvfile:
+                    csvreader = csv.reader(csvfile, delimiter=delim)
+                    rowno = 0
+                    for row in csvreader:
+                        rowno = rowno + 1
+                        if skip_header and rowno == 1:
+                            continue
+                        line = ""
+                        for value in row:
+                            if value and not re.match(pattern, value):
+                                if not line:
+                                    line = value
+                                else:
+                                    line = line + "|" + value
+                        data = data + line + "\n"
             else:
                 # It's a multi-line string
                 csvstring = StringIO(filepath)
                 csvreader = csv.reader(csvstring, delimiter=delim)
-            rowno = 0
-            for row in csvreader:
-                rowno = rowno + 1
-                if skip_header and rowno == 1:
-                    continue
-                line = ""
-                for value in row:
-                    if value and not re.match(pattern, value):
-                        if not line:
-                            line = value
-                        else:
-                            line = line + "|" + value
-                data = data + line + "\n"
+                rowno = 0
+                for row in csvreader:
+                    rowno = rowno + 1
+                    if skip_header and rowno == 1:
+                        continue
+                    line = ""
+                    for value in row:
+                        if value and not re.match(pattern, value):
+                            if not line:
+                                line = value
+                            else:
+                                line = line + "|" + value
+                    data = data + line + "\n"
             shexstatement = CSV.generate_shex_from_data_string(data)
-            if filename:
-                csvfile.close()
         except Exception as e:
             print("Unable to read file. Error: " + str(e))
         return shexstatement

shexstatements/application.py

@@ -3,7 +3,7 @@
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
-from flask import Flask, render_template, url_for, request, redirect
+from flask import Flask, render_template, request
 from shexstatements.shexfromcsv import CSV
 from shexstatements.shexfromspreadsheet import Spreadsheet
 from os.path import splitext

shexstatements/shexfromapplprofilecsv.py

@@ -5,8 +5,6 @@
 #
 
 import csv
-import re
-from shexstatements.shexstatementsparser import ShExStatementLexerParser
 from shexstatements.shexfromcsv import CSV
 
 """

shexstatements/shexfromcsv.py

@@ -36,7 +36,7 @@ def generate_shex_from_data_string(data):
             lexerparser = ShExStatementLexerParser()
             lexerparser.build()
             lexerparser.buildparser()
-            tokens = lexerparser.input(data)
+            lexerparser.input(data)
             result = lexerparser.parse(data)
             shexstatement = result.generate_shex()
         except Exception as e:
@@ -70,38 +70,47 @@ def generate_shex_from_csv(filepath, delim=",", skip_header=False, filename=True
             pattern = r'^\s*$'
             data = ""
             if filename:
-                # Validate and normalize the file path to avoid path traversal
-                normalized_path = os.path.normpath(filepath)
-                # Reject absolute paths
-                if os.path.isabs(normalized_path):
-                    raise ValueError("Absolute paths are not allowed")
-                # Only allow simple filenames without directory components
-                if os.path.sep in normalized_path or (os.path.altsep and os.path.altsep in normalized_path):
-                    raise ValueError("Directory separators are not allowed in filename")
+                # Validate and normalize the path while allowing relative subdirectories.
+                normalized_path = os.path.normpath(filepath.strip())
                 if not normalized_path:
                     raise ValueError("Empty filename is not allowed")
-                csvfile = open(normalized_path, 'r')
-                csvreader = csv.reader(csvfile, delimiter=delim)
+                if os.path.isabs(normalized_path):
+                    raise ValueError("Absolute paths are not allowed")
+                if normalized_path == ".." or normalized_path.startswith(".." + os.path.sep):
+                    raise ValueError("Path traversal is not allowed")
+                with open(normalized_path, "r") as csvfile:
+                    csvreader = csv.reader(csvfile, delimiter=delim)
+                    rowno = 0
+                    for row in csvreader:
+                        rowno = rowno + 1
+                        if skip_header and rowno == 1:
+                            continue
+                        line = ""
+                        for value in row:
+                            if value and not re.match(pattern, value):
+                                if not line:
+                                    line = value
+                                else:
+                                    line = line + "|" + value
+                        data = data + line + "\n"
             else:
                 # It's a multi-line string
                 csvstring = StringIO(filepath)
                 csvreader = csv.reader(csvstring, delimiter=delim)
-            rowno = 0
-            for row in csvreader:
-                rowno = rowno + 1
-                if skip_header and rowno == 1:
-                    continue
-                line = ""
-                for value in row:
-                    if value and not re.match(pattern, value):
-                        if not line:
-                            line = value
-                        else:
-                            line = line + "|" + value
-                data = data + line + "\n"
+                rowno = 0
+                for row in csvreader:
+                    rowno = rowno + 1
+                    if skip_header and rowno == 1:
+                        continue
+                    line = ""
+                    for value in row:
+                        if value and not re.match(pattern, value):
+                            if not line:
+                                line = value
+                            else:
+                                line = line + "|" + value
+                    data = data + line + "\n"
             shexstatement = CSV.generate_shex_from_data_string(data)
-            if filename:
-                csvfile.close()
         except Exception as e:
             print("Unable to read file. Error: " + str(e))
         return shexstatement

shexstatements/shexstatement.py

@@ -4,9 +4,6 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 
-import re
-
-
 class Type:
     def __init__(self, name):
         self.name = name[2:]
@@ -46,7 +43,7 @@ def __init__(self, value_list):
         self.value_list = value_list
 
     def add(self, value):
-        if(type(value) == Type):
+        if isinstance(value, Type):
             self.value_list.append(value)
         else:
             raise Exception("Mixing of non-type values not allowed")
@@ -68,7 +65,7 @@ def __init__(self, value_list):
         self.value_list = value_list
 
     def add(self, value):
-        if(type(value) == Value):
+        if isinstance(value, Value):
             self.value_list.append(value)
 
     def get_value_list(self):
@@ -164,13 +161,13 @@ def generate_shex(self):
             else:
                 combination.append(prop)
                 combination.append(" ")
-                if (type(value) == Node and str(value).startswith("@")):
+                if isinstance(value, Node) and str(value).startswith("@"):
                     value = "@<" + str(value)[1:] + ">"
-                elif type(value) == NodeKind:
+                elif isinstance(value, NodeKind):
                     value = str(value)
-                elif type(value) == Value or type(value) == ValueList:
+                elif isinstance(value, (Value, ValueList)):
                     value = "[ " + str(value) + " ]"
-                elif type(value) == Type or type(value) == TypeList:
+                elif isinstance(value, (Type, TypeList)):
                     value = str(value)
                 combination.append(value)
 

shexstatements/shexstatementsparser.py

@@ -7,7 +7,7 @@
 from ply import lex
 from ply import yacc
 from .errors import UnrecognizedCharacterError, ParserError
-from .shexstatement import Node, NodeKind, Value, ValueList, Type, TypeList, Cardinality, ShExStatement, ShExStatements
+from .shexstatement import Node, NodeKind, Value, ValueList, Type, TypeList, ShExStatement, ShExStatements
 
 
 class ShExStatementLexerParser(object):