search

aimhubio / aim

Aim 💫 — An easy-to-use & supercharged open-source experiment tracker.
https://aimstack.io
Apache License 2.0
4.93k stars 298 forks source link

[fix] Serve files linked into the static files directory #3108

Closed martenlienen closed 3 months ago

martenlienen commented 4 months ago

In certain conda environments, the files in the static files root directory can be symlinked from a different place. The fixed implementation only resolves relative .. segments in the request path without resolving any symlinks. This way, it still prevents reading arbitrary files through the web server while allowing the reading of symlinked files.

martenlienen commented 3 months ago

I force-pushed to fix the style issue.

martenlienen commented 3 months ago

Done!

geraldino2 commented 3 months ago

Hey, I think this PR actually resulted in a 404 for all static files served from static_files_root. I guess the condition below should use !=.

https://github.com/aimhubio/aim/blob/main/aim/web/api/views.py#L24-L25

 if common_prefix == static_files_root:
       raise HTTPException(status_code=404)

However, note that it would make the code vulnerable to a trivial path traversal: curl http://127.0.0.1:43800/static-files/x/../../../../../../../../../../../../../secret_gzfile --path-as-is.

mihran113 commented 3 months ago

Hey, I think this PR actually resulted in a 404 for all static files served from static_files_root. I guess the condition below should use !=.

https://github.com/aimhubio/aim/blob/main/aim/web/api/views.py#L24-L25

if common_prefix == static_files_root:
    raise HTTPException(status_code=404)

However, note that it would make the code vulnerable to a trivial path traversal: curl http://127.0.0.1:43800/static-files/x/../../../../../../../../../../../../../secret_gzfile --path-as-is.

Hey @geraldino2! Thanks a lot for noticing the wrong condition! Regarding the path traversal part: How would that be? 

    static_file_name = os.path.normpath(static_files_root / path)

this line of the code will resolve any ..s in the path, and if the resulting path is outside of the build directory wouldn't the common prefix be different than the build directory itself?

geraldino2 commented 3 months ago

Hey @mihran113, you are right about path traversal. I didn't really read the code and I guess I may have removed the condition when debugging it. Sorry about that!