Deferred from the r5 pre-release audit (finding #8, second half). The per-method path-trust disclosure landed in PR (the audit's minimum bar); this tracks the optional hardening.
The Python write/load methods forward path to the filesystem unmodified (no .. / traversal sanitisation) — correct and now documented per-method. In a service context where the path is effectively attacker-influenced (e.g. a REST endpoint that accepts an index path), consider an opt-in guard:
- canonicalize the path and check it stays within an allowed prefix/root, and/or
- surface a distinct, logged error on a traversal attempt rather than a generic
IOError.
Opt-in so the default (trusted-path) ergonomics are unchanged. New API surface → a pre-1.0 design decision, hence deferred.
Deferred from the r5 pre-release audit (finding #8, second half). The per-method path-trust disclosure landed in PR (the audit's minimum bar); this tracks the optional hardening.
The Python
write/loadmethods forwardpathto the filesystem unmodified (no../ traversal sanitisation) — correct and now documented per-method. In a service context where the path is effectively attacker-influenced (e.g. a REST endpoint that accepts an index path), consider an opt-in guard:IOError.Opt-in so the default (trusted-path) ergonomics are unchanged. New API surface → a pre-1.0 design decision, hence deferred.