New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[16.07] Fix galaxy.util.in_directory()... #4856
[16.07] Fix galaxy.util.in_directory()... #4856
Conversation
…just one argument. Easy to see on Mac OS X since /tmp isn't really /tmp for instance: ``` % touch /tmp/moo % python >>> import galaxy.util >>> galaxy.util.in_directory("/tmp/moo", "/tmp/moo") False ``` ... and this is why the Travis tests are failing under Mac OS X. Broken with 93a8bfc.
That was the whole point of this change, to prevent symlink attacks. |
It is broken right - |
Unit tests would really be helpful here. |
It shouldn't be true if |
|
This also doesn't match the method documentation, which says: def in_directory( file, directory, local_path_module=os.path ):
"""
Return true, if the common prefix of both is equal to directory
e.g. /a/b/c/d.rst and directory is /a/b, the common prefix is /a/b Maybe you are confusing it with Also, it may be good to fix the following documentation bug in this PR: diff --git a/lib/galaxy/util/path/__init__.py b/lib/galaxy/util/path/__init__.py
index 48a8355..3cde6fb 100644
--- a/lib/galaxy/util/path/__init__.py
+++ b/lib/galaxy/util/path/__init__.py
@@ -31,7 +31,7 @@ def safe_contains(prefix, path, whitelist=None):
Given any two filesystem paths, ensure that ``path`` is contained in ``prefix``. If ``path`` exists (either as an
absolute path or relative to ``prefix``), it is canonicalized with :func:`os.path.realpath` to ensure it is not a
- symbolic link that points outside of ``path``. If it is a symbolic link and ``whitelist`` is set, the symbolic link
+ symbolic link that points outside of ``prefix``. If it is a symbolic link and ``whitelist`` is set, the symbolic link
may also point inside a ``whitelist`` path.
The ``path`` is checked against ``whitelist`` using either its absolute pathname (if passed in as absolute) or |
It has to be that way for any user provided path, or a path that a user or tool could potentially manipulate on the filesystem. The best you could do in allowing symlinks is to allow them in the base directory configured by the administrator for whatever path is being checked. The function would either need a parameter for that path, or be clearly stated that the directory argument must already be trusted. Also I almost added additional functions or parameters to differentiate between testing path strings and real paths on the file system. Right now it checks real paths if they exist, and just strings if they don't, which is not very intuitive. This is why the safe_relpath function exists. |
Perhaps I'm missing something but there doesn't seem to be a single place in the code where it is used that way. Why would we want to check if a user supplied file is in a user supplied directory? At worst, we would want to know if a user supplied file is in a Galaxy supplied directory right? |
@nsoranzo: you're right, I changed how the function worked without correcting the documentation, I can fix that based on what we decide to do. @jmchilton: if it's all trusted paths then why do we need a check at all? It's used to verify that a user provided path, path fragment, or file, is in an admin-configured directory. This function is used heavily in Pulsar btw. But in that case it's mostly not used on real paths, I believe. |
c2707f7
to
4b5dc39
Compare
@natefoo I feel like we are talking across streams here - please try to speak to me in code. Can you modify the following test so this branch does something bad when
|
With the addition of the requirement that Perhaps it makes sense to split this in to two functions, one which operates on path strings only, and one that performs the actual filesystem check (with a param to indicate whether the directory is "trusted" or how much of the directory path is trusted?). |
@natefoo Well I showed the grep for in_directory there - in all those cases |
I'm not sure how the grep indicates they're trusted if the We'd also need to check all the calls in Pulsar. I actually think I may have done a cursory check of the calls in Galaxy, but when I realized it was also used in Pulsar, I decided to just use the solution I ended up with that didn't require Your solution is okay with me as long as we know that |
I reworked the approach as I described previously.
It is - trust me or re-verify yourself as you feel appropriate. I had already updated the docs to reflect this is a precondition of that function. |
Sorry, I'm not following - you verified that it's called correctly? |
Yes. |
This PR was merged without a milestone attached. |
... and this is why the Travis tests are failing under Mac OS X. Broken with 93a8bfc.