[Dashboard] Error 403 for ray dashboard on localhost in ray 2.8.0

[PhilippWillms]

What happened + What you expected to happen

Hello,
after installing ray 2.8.0 in Python 3.10.13 on Windows 11, I get working processes and job, but dashboard seems to be broken.

Behavior is kind of strange, as the classic address 127.0.0.1:8265 shows signal but only in the form of an empty / white page. Digging deeper in dev console, I can drill it down to the following two error messages:

GET http://127.0.0.1:8265/static/js/main.4e04a38d.js net::ERR_ABORTED 403 (Forbidden)
GET http://127.0.0.1:8265/static/css/main.388a904b.css net::ERR_ABORTED 403 (Forbidden)

Versions / Dependencies

ray==2.8.0
Python=3.10.13
Windows = 10.0.22631 Build 22631

Reproduction script

$ pip install "ray[dashboard, rllib, tune]==2.8.0"
$ ray start --head

Open http://127.0.0.1:8265 in any browser.

Issue Severity

Medium: It is a significant difficulty but I can work around it.

[mattip]

xref the discussion on https://discuss.ray.io/t/error-403-for-ray-dashboard-on-localhost-in-ray-2-8-0-on-windows11/12717

The problem came from #39018 where it is assumed that a path like /static/* can be converted via pathlib.resolve() to see if it is outside parent. These lines don't work as desired on windows, note the excess C:

ray/dashboard/http_server_head.py

Lines 137 to 142 in 790c506

	# If the destination is not relative to the expected directory,
	# then the user is attempting path traversal, so deny the request.
	request_path = pathlib.Path(request.path).resolve()
	if request_path != parent and parent not in request_path.parents:
	raise aiohttp.web.HTTPForbidden()
	return await handler(request)

variable	example
request.path	/static/js/main.4e04a38d.js
request_path	WindowsPath('C:/static/css/main.388a904b.css')
parent	WindowsPath('/static')

I debugged this by adding some logging before raising the error, which seems like it might help in general:

logger.info(f"FORBIDDEN: {request.path=} became {request_path=} != {parent=}")

cc @ijrsvt

[ijrsvt]

Hey @PhilippWillms Thanks so much for pointing this out! I completely forgot that Pathlib Paths directly interact with the underlying FileSystem. I think I just need to switch from a Path to a PurePosixPath and using posix-specific resolution!