Skip to content

Commit

Permalink
fix: DEV-3212: Add validation to avoid users import local files using…
Browse files Browse the repository at this point in the history
… URL (#2840)

* Add validation to avoid local files using URL import

* Add unit tests

* Apply formatting
  • Loading branch information
guilhermemachado26 committed Aug 23, 2022
1 parent ad29804 commit 501142c
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 0 deletions.
4 changes: 4 additions & 0 deletions label_studio/data_import/uploader.py
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,10 @@ def load_tasks(request, project):
else:
if settings.SSRF_PROTECTION_ENABLED and url_is_local(url):
raise ImportFromLocalIPError

if url.strip().startswith('file://'):
raise ValidationError('"url" is not valid')

data_keys, found_formats, tasks, file_upload_ids = tasks_from_url(
file_upload_ids, project, request, url
)
Expand Down
Empty file.
38 changes: 38 additions & 0 deletions label_studio/tests/data_import/test_uploader.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
import pytest

from rest_framework.exceptions import ValidationError

from data_import.uploader import load_tasks

pytestmark = pytest.mark.django_db


class MockedRequest:
FILES = ()

def __init__(self, url):
self.url = url

@property
def content_type(self):
return "application/x-www-form-urlencoded"

@property
def data(self):
return {"url": self.url}


class TestUploader:
@pytest.fixture
def project(self, configured_project):
return configured_project

class TestLoadTasks:
@pytest.mark.parametrize("url", ("file:///etc/passwd", " file://etc/kernel "))
def test_raises_for_local_files(self, url, project):
request = MockedRequest(url=url)

with pytest.raises(ValidationError) as e:
load_tasks(request, project)

assert '"url" is not valid' in str(e.value)

0 comments on commit 501142c

Please sign in to comment.