Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] Serve files linked into the static files directory #3108

Merged
merged 1 commit into from
Mar 7, 2024
Merged

[fix] Serve files linked into the static files directory #3108

merged 1 commit into from
Mar 7, 2024

Conversation

martenlienen
Copy link
Contributor

In certain conda environments, the files in the static files root directory can be symlinked from a different place. The fixed implementation only resolves relative .. segments in the request path without resolving any symlinks. This way, it still prevents reading arbitrary files through the web server while allowing the reading of symlinked files.

alberttorosyan
alberttorosyan approved these changes Mar 7, 2024
View reviewed changes
Copy link
Member

@alberttorosyan alberttorosyan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks for the contribution @martenlienen 🚀
Waiting for @mihran113's review.

@martenlienen
Copy link
Contributor Author

I force-pushed to fix the style issue.

mihran113
mihran113 approved these changes Mar 7, 2024
View reviewed changes
Copy link
Contributor

@mihran113 mihran113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! @martenlienen can I ask you to add an entry in CHANGELOG.md file

@martenlienen
Serve files linked into the static files directory
8470774 
In certain conda environments, the files in the static files root directory can be
symlinked from a different place. The fixed implementation only resolves relative ..
segments in the request path without resolving any symlinks. This way, it still prevents
reading arbitrary files through the web server while allowing the reading of symlinked files.
@martenlienen
Copy link
Contributor Author

Done!

@mihran113 mihran113 merged commit 34051cd into aimhubio:main Mar 7, 2024
2 of 3 checks passed
@martenlienen martenlienen deleted the symlinked-assets branch March 7, 2024 22:54
@geraldino2
Copy link

Hey, I think this PR actually resulted in a 404 for all static files served from static_files_root. I guess the condition below should use !=.

https://github.com/aimhubio/aim/blob/main/aim/web/api/views.py#L24-L25

if common_prefix == static_files_root:
    raise HTTPException(status_code=404)

However, note that it would make the code vulnerable to a trivial path traversal: curl http://127.0.0.1:43800/static-files/x/../../../../../../../../../../../../../secret_gzfile --path-as-is.

@mihran113
Copy link
Contributor

mihran113 commented Mar 9, 2024
edited
Loading

Hey, I think this PR actually resulted in a 404 for all static files served from static_files_root. I guess the condition below should use !=.

https://github.com/aimhubio/aim/blob/main/aim/web/api/views.py#L24-L25

if common_prefix == static_files_root:
    raise HTTPException(status_code=404)

However, note that it would make the code vulnerable to a trivial path traversal: curl http://127.0.0.1:43800/static-files/x/../../../../../../../../../../../../../secret_gzfile --path-as-is.

Hey @geraldino2! Thanks a lot for noticing the wrong condition!
Regarding the path traversal part: How would that be?

    static_file_name = os.path.normpath(static_files_root / path)

this line of the code will resolve any ..s in the path, and if the resulting path is outside of the build directory wouldn't the common prefix be different than the build directory itself?

@martenlienen martenlienen mentioned this pull request Mar 9, 2024
Merged
@geraldino2
Copy link

Hey @mihran113, you are right about path traversal. I didn't really read the code and I guess I may have removed the condition when debugging it. Sorry about that!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mihran113 mihran113 mihran113 approved these changes

@alberttorosyan alberttorosyan alberttorosyan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@martenlienen @geraldino2 @mihran113 @alberttorosyan