🔒 Fix unchecked file path

Author: garlontas

pystreamapi/loaders/__csv_loader.py

@@ -1,4 +1,5 @@
 import contextlib
+import os
 from collections import namedtuple
 from csv import reader
 
@@ -13,17 +14,28 @@ def csv(file_path: str, delimiter=',', encoding="utf-8") -> list:
         :param file_path: The path to the CSV file.
         :param delimiter: The delimiter used in the CSV file.
     """
+    file_path = __validate_path(file_path)
     with open(file_path, 'r', newline='', encoding=encoding) as csvfile:
         csvreader = reader(csvfile, delimiter=delimiter)
 
         # Create a namedtuple type, casting the header values to int or float if possible
-        Row = namedtuple('Row', list(next(csvreader)))
+        Row = namedtuple('Row', list(next(csvreader, [])))
 
         # Process the data, casting values to int or float if possible
         data = [Row(*[__try_cast(value) for value in row]) for row in csvreader]
 
     return data
 
+def __validate_path(file_path: str):
+    """Validate a path string to prevent path traversal attacks"""
+    if not os.path.isabs(file_path):
+        raise ValueError("The file_path must be an absolute path.")
+
+    if not os.path.exists(file_path):
+        raise FileNotFoundError("The specified file does not exist.")
+
+    return file_path
+
 def __try_cast(value):
     """Try to cast value to primary data types from python (int, float, bool)"""
     for cast in (int, float):

tests/assets/empty.csv

@@ -23,3 +23,7 @@ def test_csv_loader_with_custom_delimiter(self):
         self.assertEqual(len(data), 1)
         self.assertEqual(data[0].attr1, 1)
         self.assertIsInstance(data[0].attr1, int)
+
+    def test_csv_loader_with_empty_file(self):
+        data = csv(f'{self.path}/empty.csv')
+        self.assertEqual(len(data), 0)