fredrik-corneliusson / click-web

Serve click scripts over the web
MIT License
266 stars 17 forks source link

Allowing click-web to safely process uploaded files #11

Closed AlphonsG closed 2 years ago

AlphonsG commented 2 years ago

Hello,

Thank you for this repo. In this issue it is mentioned that "Providing a text input [to click-web] would not work unless you are on the same machine and it would be a dangerous vulnerability if you can make scripts process any folder on the server from the web." Is there a recommended way to safely allow the uploading and processing of files such as images using click-web?

Thanks.

fredrik-corneliusson commented 2 years ago

Your welcome, Yes there certainly is, take a look at an example: https://github.com/fredrik-corneliusson/click-web/blob/master/example/example_command.py#L131

That command expects the file to be text as it just uppercases all letters in the file and returns the result to download. But it could just as easily be a file of any type (like an image). What I was referring to as a security risk would be to create a command that treats a text field as a path to a file on the server where it runs. That way anyone could point it to a sensitive file such as "/etc/passwd" and make the command process it instead requiring uploading the file (or files in a zip) that you want to process.

AlphonsG commented 2 years ago

@fredrik-corneliusson Oh that makes perfect sense, thank you for the response!