Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix remove unsafe path joins #913

Merged
merged 8 commits into from
May 2, 2022
Merged

Fix remove unsafe path joins #913

merged 8 commits into from
May 2, 2022

Conversation

fruttasecca
Copy link
Member

@fruttasecca fruttasecca commented Apr 29, 2022
edited by yannickperrenet
Loading

Related: #907

Fixes: #906

Credits to @porcupineyhairs for discovery and fix proposal

There are a couple of regressions on dev that make it not possible to test all edge cases, it's something we will have to look into next week.

@fruttasecca fruttasecca marked this pull request as ready for review April 29, 2022 13:01
@fruttasecca fruttasecca changed the title Fix/remove unsafe path joins Fix remove unsafe path joins Apr 29, 2022
yannickperrenet
yannickperrenet approved these changes Apr 29, 2022
View reviewed changes
Copy link
Contributor

@yannickperrenet yannickperrenet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

Thank you @porcupineyhairs!

ricklamers
ricklamers reviewed Apr 29, 2022
View reviewed changes
services/orchest-webserver/app/app/utils.py
@@ -629,7 +623,7 @@ def pipeline_set_notebook_kernels(pipeline_json, pipeline_directory, project_uui

if "ipynb" == step["file_path"].split(".")[-1]:

notebook_path = os.path.join(pipeline_directory, step["file_path"])
notebook_path = safe_join(pipeline_directory, step["file_path"])

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expect this to cause problems because file paths can be relative and point to files above the pipeline directory. We should find all similar resolves of paths that use the pipeline step file path in particular.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, will take a look

@fruttasecca fruttasecca force-pushed the fix/remove-unsafe-path-join branch from 52f70de to 77574c4 Compare May 2, 2022 10:40
@fruttasecca fruttasecca merged commit a5401b6 into dev May 2, 2022
@fruttasecca fruttasecca deleted the fix/remove-unsafe-path-join branch May 2, 2022 10:44
@fruttasecca fruttasecca mentioned this pull request May 2, 2022
Closed
iannbing
iannbing reviewed May 2, 2022
View reviewed changes
services/orchest-webserver/app/app/utils.py


def is_valid_data_path(path: str):
return os.path.abspath(os.path.normpath(path)).startswith("/data")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fruttasecca Isn't this line always returning false? os.path.abspath(os.path.normpath(path)) most likely would start with /userdir?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I propose changing it to

orchest/services/orchest-webserver/app/app/utils.py

Line 768 in 6f66315

return os.path.abspath(os.path.normpath(path)).startswith(_config.USERDIR_DATA)
in PR #914. Please review the change and discuss in the said PR. :-)

@fruttasecca fruttasecca added the fix PR fixes a bug label May 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iannbing iannbing iannbing left review comments

@ricklamers ricklamers ricklamers left review comments

@yannickperrenet yannickperrenet yannickperrenet approved these changes

Assignees
No one assigned
Labels
fix PR fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fruttasecca @iannbing @ricklamers @yannickperrenet