Texera / texera

Collaborative Machine-Learning-Centric Data Analytics Using Workflows
https://texera.github.io
Apache License 2.0
163 stars 72 forks source link

File path validation #1040

Open Yicong-Huang opened 3 years ago

Yicong-Huang commented 3 years ago

The current File Source operator can access any path that user specifies. This has potential security issue. We should do validation on the path of user input, restrict a user to only access files/paths belong to him/her.

Created from JetBrains using CodeStream

Yicong-Huang commented 2 years ago

Discussion 01/13/2021: @Yicong-Huang will fix it some time. Could be assigned to ugrad.

MysteriousChallenger commented 2 years ago

~Appears to have been solved by #1251~

Edit: logged in users can only access files through UserFileUtils, which has a permissions mechanism. sessions without a userID can still choose any path?

Xiao-zhen-Liu commented 2 years ago

Discussion 2022.05.12: We leave this open.

Xiao-zhen-Liu commented 1 year ago

Discussion 2022.12.07: To be confirmed and closed by @Yicong-Huang and @zuozhiw.

Yicong-Huang commented 1 year ago

With the change of #1688, users can now input file paths manually on the UI. So the security issue remains valid.

shengquan-ni commented 10 months ago

containers will solve this issue.