False Positive in Python Path Traversal Benchmark – BenchmarkTest00008

[KarthickRaja2002]

Hi @davewichers ,

We identified a false positive in the OWASP Benchmark (Python) test case classified as a true positive under the Path Traversal category.
Test case: /benchmark/pathtraver-00/BenchmarkTest00008

Rule: Path Traversal

Case:

param = urllib.parse.unquote_plus(
    request.cookies.get("BenchmarkTest00008", "noCookieValueSupplied")
)

bar = "This should never happen"
if 'should' not in bar:
    bar = "Ifnot case passed"

testfiles = pathlib.Path(helpers.utils.TESTFILES_DIR)
p = testfiles / bar

The variable bar, which is used to construct the filesystem path, is a hardcoded constant and is not derived from any user-controlled input. The conditional check is also deterministic and does not modify bar based on external input. Therefore, there is no feasible data flow from user input to the path construction.

As a result, the filesystem access does not expose a path traversal vulnerability, and the test case appears to be incorrectly marked as a true positive.

Additional observations:

We have found multiple similar cases in the Python benchmark where user input is read but does not propagate to the sink, yet the test is still classified as a true positive. These cases may be worth re-evaluating to reduce false positives and improve benchmark accuracy.

Please let us know if you would like references to additional examples.

[davewichers]

I think I found and already fixed this 3 weeks ago. Can you pull the updated version of this test case from GitHub and verify the fix. If you go here: https://github.com/OWASP-Benchmark/BenchmarkPython/tree/main/testcode and look at the Last commit date, you'll see all the test cases I fixed. I also made some formatting changes to some test cases so it looks like I changed almost all of them, but this should include this fix and hopefully all the others you mentioned have similar issues.

If you identify any others I missed, please let me know.