Concept Explanation
Security starts long before you build a big web app. It starts the first time your code reads a filename, accepts a user value, or decides whether to trust input. In beginner projects, the dangerous part is not complexity—it is false confidence. In this lesson, you will work with a small script that reads a file from a safe folder. The goal is not to memorize security jargon. The goal is to build one healthy habit: never trust a path just because it looks harmless. You will see how a script can protect itself by checking where a path really points before opening anything. That same mindset will help you later with uploads, APIs, forms, and command-line tools. By the end of this lesson, you should be able to: • explain why `eval()` is unsafe for untrusted input, • describe what path traversal means in simple words, • keep a file-reading script inside a fixed folder instead of letting it wander anywhere on the system. Why this matters: a lot of beginner code works fine on happy paths, then breaks the moment input becomes messy or hostile. Reliable code assumes that bad input will eventually arrive.
Where to Put the Code
- Define color and position variables at the top.
- Create shape drawing or placement logic in the middle.
- Render output (print, canvas, SVG, or styled block) at the end.
Command Reference
- Treat every path as untrusted until you check where it resolves on disk.
- Use `Path.resolve()` before reading a file so you can detect escape attempts like `../secret.txt`.
- Never use `eval()` on user-controlled text; parsing data and executing code are not the same thing.
- Keep experiments in a dedicated folder so mistakes stay contained.
Step-by-step Guide
- Run the script and confirm it prints the contents of `notes.txt` from inside `lesson_workspace`.
- Change the filename to something missing, run again, and read the FileNotFoundError carefully.
- Try a dangerous value such as `../outside.txt` and predict what should happen before you run it.
- Add a second safe file inside `lesson_workspace` and confirm the function can still read it normally.
- Write one sentence explaining why checking the resolved path is safer than trusting the raw filename.
Practice Exercises
- In your own words, explain the difference between reading a safe local file and executing arbitrary text as code.
- Compare `Path` and `os.path` for readability and write which style you prefer for beginner scripts.
- Find one example online of a path traversal bug or unsafe `eval()` usage and summarize the lesson in three plain sentences.
Coding Challenges
- Update the function so it only allows `.txt` files and rejects everything else with a clear error message.
- Return both the preview text and the file size, while keeping the security checks in one place.
Mini Practice Tasks
- Create `lesson_workspace/` in `.gitignore` so your practice files do not clutter the project.
- Write down one rule you want to remember: never trust raw paths from input.
- Delete any old experiment where you used `eval()` just because it felt convenient.
Common Mistake
Mixing x and y axes or using wrong coordinate origin causes shapes to appear in unexpected places.
Real-life Mini Challenge
Draw one square, one triangle, and one circle, then move X marker 2 steps right and 1 step down.