I have a python web application that accepts a http URL to a PDF file from the URL. As part of what the application does, it needs to convert the PDF into a TIFF image using ghost script. And for this, the PDF needs to be saved locally. So to do this I use urllib like this:
testfile = urllib.URLopener()
pdf_destination = os.path.join(self.options.storefolder, self.options.uniquecode+".pdf")
testfile.retrieve(pdfurl, pdf_destination) //Fortify vuln. found here
This works ok, however, Fortify SCA gives a critical vulnerability of "Path Manipulation". Is there a way to resolve this? Should I just ensure that pdfurl contains a valid pdf file name? or is there a better way to resolve this?
Ghostscript doesn't need the file saved locally, it can accept the data piped via stdin. It then creates a local temporary copy of the file (because PDF files require random access) but I presume that would be acceptable.
Of course, that still leaves you the problem of piping the PDf file into Ghostscript via stdin, I don't know how you would do that.