Update _sys.py (#1361)

mail4umar · web-flow · commit 9b9b1cc84264 · 2026-02-03T09:21:49.000-05:00
Ensuring the path from the user is checked.

- resolving path to absolute
- ensuring path exists
- checking if its an actual file
diff --git a/verticapy/_utils/_sql/_sys.py b/verticapy/_utils/_sql/_sys.py
@@ -14,7 +14,9 @@
 See the  License for the specific  language governing
 permissions and limitations under the License.
 """
+import os
 import time
+from pathlib import Path
 from typing import Any, Literal, Optional
 
 import verticapy._config.config as conf
@@ -180,7 +182,14 @@ def _executeSQL(
     if data:
         cursor.executemany(query, data)
     elif method == "copy":
-        with open(path, "r", encoding="utf-8") as f:
+        if not path:
+            raise ValueError("path must be provided when method='copy'")
+        # Validate path to prevent path traversal attacks
+        file_path = Path(path).resolve()
+        # Ensure the resolved path exists and is a file
+        if not file_path.is_file():
+            raise ValueError(f"File not found or is not a regular file: {path}")
+        with open(file_path, "r", encoding="utf-8") as f:
             cursor.copy(query, f)
     else:
         cursor.execute(query)
