Closed martenlienen closed 3 months ago
I force-pushed to fix the style issue.
Done!
Hey, I think this PR actually resulted in a 404 for all static files served from static_files_root
. I guess the condition below should use !=
.
https://github.com/aimhubio/aim/blob/main/aim/web/api/views.py#L24-L25
if common_prefix == static_files_root:
raise HTTPException(status_code=404)
However, note that it would make the code vulnerable to a trivial path traversal: curl http://127.0.0.1:43800/static-files/x/../../../../../../../../../../../../../secret_gzfile --path-as-is
.
Hey, I think this PR actually resulted in a 404 for all static files served from
static_files_root
. I guess the condition below should use!=
.https://github.com/aimhubio/aim/blob/main/aim/web/api/views.py#L24-L25
if common_prefix == static_files_root: raise HTTPException(status_code=404)
However, note that it would make the code vulnerable to a trivial path traversal:
curl http://127.0.0.1:43800/static-files/x/../../../../../../../../../../../../../secret_gzfile --path-as-is
.
Hey @geraldino2! Thanks a lot for noticing the wrong condition! Regarding the path traversal part: How would that be?
static_file_name = os.path.normpath(static_files_root / path)
this line of the code will resolve any ..
s in the path, and if the resulting path is outside of the build directory wouldn't the common prefix be different than the build directory itself?
Hey @mihran113, you are right about path traversal. I didn't really read the code and I guess I may have removed the condition when debugging it. Sorry about that!
In certain conda environments, the files in the static files root directory can be symlinked from a different place. The fixed implementation only resolves relative .. segments in the request path without resolving any symlinks. This way, it still prevents reading arbitrary files through the web server while allowing the reading of symlinked files.