Flask check: send_file() with a file handle

Bento check to detect if send_file() will throw an exception

by Grayson Hardaway, Engineering @ r2c


At r2c, our mission is to profoundly improve software security and reliability to safeguard human progress. We're writing custom program analysis checks and making them available for free and offline in Bento, our new developer tool focused on finding bugs that matter. These custom checks are in addition to tools already integrated into Bento, like Flake8, Bandit, and ESLint. The initial custom checks we’re adding to Bento analyze web frameworks/libraries such as Flask, Requests, and related web tools like Boto (the AWS SDK for Python).

The goal of these checks is to surface issues that you will end up fixing later—in code review, long-running integration tests, or security testing—as early as possible.

The Problem

send_file in Flask is a good example--it will throw a ValueError unless you provide a filename or mimetype, but you won't know that until you have the server running. This discussion on GitHub explains that this is new behavior as of Flask version 0.12 because the framework no longer infers the mimetype of file-like objects.

This check detects the use of open(filename, 'r') passed to flask.send_file() without the appropriate keyword args—either mimetype or attachment_filename. The keyword arguments prevent a ValueError from being thrown under these conditions. To see if this is happening in your codebase, run this in your Flask project directory:

~~pip3 install bento-cli && bento init~~

1brew install semgrep && \
2semgrep --config "https://semgrep.dev/p/python-flask"

Here’s an example of what the check may find. The following snippet:

1import flask
2app = flask.Flask(**name**)
4def send_file():
5f = open("test.db", 'r')
6rv = flask.send_file(f)

Will throw this exception when you make a request:

1[2019-10-30 10:25:14,695] ERROR in app: Exception on /send_file [GET][cut for brevity...]
2File "example.py", line 5, in send_file
3rv = flask.send_file(f)
4File "/usr/local/lib/python3.7/site-packages/flask/helpers.py", line 593, in send_file
5"Unable to infer MIME-type because no filename is available. "ValueError: Unable to infer MIME-type because no filename is available. Please set either attachment_filename, pass a filepath to filename_or_fp or set your own MIME-type via mimetype.

For the curious, the ValueError is raised here in the source.

Is This Check Any Good?

As outlined in our post on "Three Things Your Linter Shouldn't Tell You", we have a process we use to decide what checks are worthy of inclusion in Bento. Just doing the program analysis work isn't enough; we need to know that it will find issues a developer cares about, with good precision and recall.

We used r2c's program analysis platform to test out our check on real-world code. For this check, we used a set of 1.2k randomly sampled repositories on GitHub that use Flask. Often, running the check at scale yields some false positives we need to weed out (based on some faulty assumptions we have made!), such as this one:

1return send_file(backend.get_filename(path))

We fixed this by examining whether the first argument is open(...) or a variable storing the value of open(...).

The current version of the check finds 109 instances of this pattern across 15 unique repositories out of the original 1.2k.


These findings are actually test code from old Flask versions that has been copied or forked--and this makes sense, given that real runtime errors are likely to be found and removed by someone running their app to test.

This check can help speed up development by catching an easy-to-make mistake before discovering it through dynamic testing of your app. It is available in Bento by default as of version 0.6.


This check detects the following cases:

2# flask.send_file case
3flask.send_file(open("file.txt", 'r'))
5# With keyword args
6flask.send_file(open("file.txt", 'r'), conditional=False)
8# from flask import send_file case
9flask.send_file(open("file.txt", 'r'))
11# Variable resolution
12fin = open("file.txt", 'r')

This check considers the following cases acceptable:

2# String argument for arg0
5# Has a mimetype
6flask.send_file(open("file.txt", 'r'), mimetype="text/plain")
8# Has a attachment_filename
9fin = open("file.txt", 'r')
10flask.send_file(fin, as_attachment=True, attachment_filename="file.txt")

This check is available in Bento by default as of version 0.6. Bento is a free program analysis tool focused on finding bugs that matter to you.



Semgrep Logo

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.

Get started in minutesBook a demo