New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: DEV-3212: Add validation to avoid users import local files using URL #2840
Conversation
|
|
|
This is not the case. Now users lost ability to import files from local filesystem. I'd like to suggest restrict usage of "file://" to label-studio DATA_DIR or HOME_DIR @makseq what do you think? |
Codecov Report
@@ Coverage Diff @@
## develop #2840 +/- ##
===========================================
- Coverage 77.80% 77.04% -0.76%
===========================================
Files 137 144 +7
Lines 9951 10601 +650
===========================================
+ Hits 7742 8168 +426
- Misses 2209 2433 +224
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
We have Local Storage functionality for file access on hard drives. It works the same way as you described, so I think it's ok to restrict file:// access here. Local Storage is more controllable and obvious way to do it. |
Description of the proposed changes
LS users are able to use data import functionality to access local files on the running system, including environment variables, etc. This is achieved by using
file://url schema (ie.file:///etc/passwd).Submitting a URL like this will cause Label Studio to fetch the local file and add it to the project, which can then be accessed in the
/data/uploadsfolder.Jira Ticket
https://heartex.atlassian.net/browse/DEV-3212