Allow "save as" to save notebooks using absolute path

[divyansshhh]

Currently the "save as" widget accepts path relative to the notebook dir. Can we allow saving of notebooks using the absolute path?

[andrewfulton9]

@divyansshhh, could you give more detail to the issue you are running into? This issue may also be helpful to understand absolute vs relative paths in jupyter_server.

[Carreau]

I would need to check the code again but historically this is not possible for two reasons:

1) Abstractions: The notebook store are swappable – some people store things in say postgres in which absolute path make no sens.

2) For security reason the notebook server is not aware of anythings outside of notebook_dir, or it may both: leak information, or allow to escape its root. I think a number of users would be really concern if this was changed.

Technically this also poses a number of challenges, many of the API requests contain the path in the URL, and thus going "above" the root would either require

• /../ in the URL. This is not possible as many clients (browser), normalize URL. Thus path/to/api/../../tmp/foo.ipynb becomes path/tmp/foo.ipynb and the server would not know what to do.
• Massive changes to the API

So I doubt in the long term it will be done.

[Carreau]

From from discussion, in @divyansshhh case the server are started from the root of the FS, so we are refering both to the root of the server and the root of the FS (which in case is the same). So fixing UI to accept things starting with /, does make sens.

[andrewfulton9]

I am not able to reproduce this when the root of the host FileSystem is the same as the root of the server. I am only able to reproduce an error when they are different. This is with jupyter server version 1.19.1 and the main branch (f9e5b2b5) of nbclassic.

[divyansshhh]

I am only able to reproduce an error when they are different.

We have certain use cases where the two values will be different. So it would be useful to fix this for those cases.

FTR - we are using jupyter-server 2.7.0 and nbclassic 0.5.6

[Carreau]

We have certain use cases where the two values will be different. So it would be useful to fix this for those cases.

FTR - we are using jupyter-server 2.7.0 and nbclassic 0.5.6

Just as a clarification, if the root of the filesystem and the --notebook-dir are different, then we cannot provide a fix upstream for multiple reasons.

First, a patch will be refused by the Jupyter Core team and any such behavior would be considered a security vulnerability and an emergency released issued to removed this vulnerability. (Disclaimer I'm on the Jupyter Security Committee)

Second, accessing anything above /user/matthias would be considered a CVE/CWE For example one of CWE-22 or CWE-35. If the server root is say /user/matthias, then saving into /my/aboslute/path.ipynb from the UI should save into /user/matthias/my/aboslute/path.ipynb.

Beyond this there are technical challenges. Moving above the server root will also hit browser limitations (ie a browser will collapse /xxx/something/../yyy into /xxx/yyy/). Typical penetration testing tools do not use this collapsing exactly to try to find vulnerable software. While the server could try to support it, it is likely this will break in weird ways and expose sensitive informations.

The recommended pattern if you wish to have access to the whole filesystem, then you should set the server root to / and use --preferred_dir=/User/matthias/notebook_folder or c.ServerApp.preferred_dir= (the short version might not be possible everywhere) for the UI to start in this folder.