willydouhard
commented
1 year ago Can you try adding follow_symlink=True to your local installation and see if it fixes the issue?
Closed moonk-banksalad closed 1 year ago
willydouhard
commented
1 year ago Can you try adding follow_symlink=True to your local installation and see if it fixes the issue?
moonk-banksalad
commented
1 year ago Sure. I verified js/css files load successfully when follow_symlink option is added. Here's the snippet of my patch:
app.mount(
"/assets",
StaticFiles(
packages=[("chainlit", os.path.join(build_dir, "assets"))], follow_symlink=True
),
name="assets",
)@MathiasSpanhove do you see any security issue with this?
MathiasSpanhove
commented
1 year ago I don't think it will be a security issue. It's a mount to the chainlit build directory so I don't think that users will be able to upload files to it and somehow using symlinks try to extract secrets. (See Zip Slip / Zip Symlink Upload Attack for examples)
If you really want to be safe, you could make it opt-in using configuration.
Interesting info about it from the starlette team themselves: https://github.com/encode/starlette/pull/1681#issuecomment-1152178256
willydouhard
commented
1 year ago The 0.6.401 release brings a follow_symlink parameter that should fix your issue!
moonk-banksalad
commented
1 year ago Verified that the issue is fixed in 0.6.401. Thank you!
I have a Bazel-based workspace setup for a Chainlit app development. I have a py_binary target for a Chainlit app and it was working fine until 0.6.0. However, with 0.6.1 and later versions, the server starts fine but the UI is failing to render because the requests to js/css files fail. Here are the logs:
I suspect this commit because Bazel creates symbolic links to dependent packages when setting up an execution sandbox directory. Maybe passing follow_symlink=True to the StaticFiles constructor may solve this problem.