Serve files linked into the static files directory

In certain conda environments, the files in the static files root directory can be symlinked from a different place. The fixed implementation only resolves relative .. segments in the request path without resolving any symlinks. This way, it still prevents reading arbitrary files through the web server while allowing the reading of symlinked files.
aimhubio · Mar 7, 2024 · 8470774 · 8470774
1 parent 1ff3a3b
commit 8470774
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,19 +1,22 @@
 # Changelog
 
-## 3.19.0 
+## 3.19.0
 
-### Enhancements: 
+### Enhancements:
 - Replace grpc with http/ws as transport for aim tracking server (mihran113)
 - Remove `aim storage upgrade 2to3` command (mihran113)
 
+### Fixes
+- Allow the web UI to serve assets symlinked into the static files directory (martenlienen)
+
 ## 3.18.1 Feb 7, 2024
 
 ### Enhancements:
 
 - Add support for `sqlalchemy 2.0` (mihran113)
 - Add `min/max/first` values tracking and visualization for metrics (mihran113, KaroMourad)
 
-### Fixes 
+### Fixes
 - Fix pytorch_lightning aliases issue (popfido)
 - Fix typos in stat.py to collect gpu memory and power correctly (ChanderG)
 - Fix bug in pytorch lightning raising lock timeout (inc0)

diff --git a/aim/web/api/views.py b/aim/web/api/views.py
@@ -14,15 +14,18 @@
 async def serve_static_files(path):
     import aim_ui
 
-    static_files_root = os.path.join(os.path.dirname(aim_ui.__file__), 'build')
-    static_file_name = '/'.join((static_files_root, path))
-
-    # check if path is leading inside ui/build directory
-    if not Path(static_files_root).resolve() in Path(static_file_name).resolve().parents:
+    static_files_root = Path(aim_ui.__file__).parent / 'build'
+    # Normalize to resolve any .. segments
+    static_file_name = os.path.normpath(static_files_root / path)
+
+    # Ensure that no paths outside the root directory are accessed by checking that the
+    # root directory is a prefix of the file path
+    common_prefix = Path(os.path.commonpath([static_files_root, static_file_name]))
+    if common_prefix == static_files_root:
         raise HTTPException(status_code=404)
 
-    compressed_file_name = '{}.gz'.format(static_file_name)
-    if os.path.exists(compressed_file_name):
+    compressed_file_name = Path(f'{static_file_name}.gz')
+    if compressed_file_name.exists():
         return FileResponse(compressed_file_name, headers={'Content-Encoding': 'gzip'})
     return FileResponse(static_file_name)