[Dashboard] Prevent Directory Traversal #39018
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thomasdesr
approved these changes
Aug 28, 2023
dashboard/http_server_head.py
Outdated
|
|
||
| # If the destination is not relative to the expected directoy, then the user is attempting | ||
| # path traversal, so deny the request | ||
| if not pathlib.Path(os.path.abspath(request.path)).is_relative_to(parent): |
There was a problem hiding this comment.
Suggested change
| if not pathlib.Path(os.path.abspath(request.path)).is_relative_to(parent): | |
| if not pathlib.Path(request.path).absolute().is_relative_to(parent): |
Mixing path libraries for a particular reason? (If its load bearing can you explain it in a comment?)
There was a problem hiding this comment.
Switched to resolve()
| @@ -128,6 +129,17 @@ def get_address(self): | |||
| assert self.http_host and self.http_port | |||
| return self.http_host, self.http_port | |||
|
|
|||
| @aiohttp.web.middleware | |||
| async def path_clean_middleware(self, request, handler): | |||
There was a problem hiding this comment.
Would it be possible to normalized all path values before passing it forward in the routing handler? (can we even do that in a middleware?)
There was a problem hiding this comment.
I'm not sure I understand what you mean?
There was a problem hiding this comment.
I was thinking that since these APIs lean on the request path itself and not a parameter or data field; if we could normalize the request.Path field itself before it was handled by the router/mux, then this would 404 instead of getting into the final handler.
That said, that almost certainly isn't something we can do from within Starlette middleware? Noop this idea xD
Signed-off-by: Ian Rodney <ian.rodney@gmail.com>
Signed-off-by: Ian Rodney <ian.rodney@gmail.com>
Signed-off-by: Ian Rodney <ian.rodney@gmail.com>
Signed-off-by: Ian Rodney <ian.rodney@gmail.com>
ijrsvt
force-pushed
the
fix-some-dashboard-path-traversals
branch
from
2f2f980
to
2e72429
Compare
Signed-off-by: Ian <ian.rodney@gmail.com>
ijrsvt
commented
Aug 30, 2023
Signed-off-by: Ian Rodney <ian.rodney@gmail.com>
Signed-off-by: Ian Rodney <ian.rodney@gmail.com>
|
Failing test is unrelated--merging |
simonsays1980
pushed a commit
to simonsays1980/ray
that referenced
this pull request
Sep 26, 2023
Ensure we can only go to subdirectories of logs and static resources. Signed-off-by: Simon Zehnder <simon.zehnder@gmail.com>
vymao
pushed a commit
to vymao/ray
that referenced
this pull request
Oct 11, 2023
Ensure we can only go to subdirectories of logs and static resources. Signed-off-by: Victor <vctr.y.m@example.com>
8 tasks
pcmoritz
pushed a commit
to pcmoritz/ray-1
that referenced
this pull request
Nov 30, 2023
Ensure we can only go to subdirectories of logs and static resources.
8 tasks
aslonnie
pushed a commit
that referenced
this pull request
Nov 30, 2023
* [Dashboard] Prevent Directory Traversal (#39018) Ensure we can only go to subdirectories of logs and static resources. * [core][state][log] State API should not allow reading files outside of the ray log directory on all ray nodes. (#41467) State API log retrieval has a security bug where one could pass: relative paths like "../../../xxx" to get file outside of ray's log dir absolute path that's refers to other files to get file somewhere else. This PR fixes both issues such that one could only read logs under the ray logs directory. --------- Signed-off-by: rickyyx <rickyx@anyscale.com> * [Dashboard] Migrate Logs page to use state api. (#41474) Migrates to use state-api, to unify behavior with CLI and UI Delete log_proxy API, it's legacy and has some security issues. --------- Signed-off-by: Alan Guo <aguo@anyscale.com> * [core][state][log] Enable following symlinks that point outside of the `root_log_dir` when resolving paths (#41502) Follow-up to: #41467. The change incidentally broke log retrieval on mac os because /tmp is a symlink to /private/tmp. This PR avoids resolving the symlink until after we do the subdir check. This solves the mac os problem and generically enables file paths that contain symlinks outside of the root_log_dir. --------- Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com> --------- Signed-off-by: rickyyx <rickyx@anyscale.com> Signed-off-by: Alan Guo <aguo@anyscale.com> Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com> Co-authored-by: Ian Rodney <ian.rodney@gmail.com> Co-authored-by: Ricky Xu <xuchen727@hotmail.com> Co-authored-by: Alan Guo <aguo@anyscale.com> Co-authored-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why are these changes needed?
logsandstaticresources.Related issue number
Checks
git commit -s) in this PR.scripts/format.shto lint the changes in this PR.method in Tune, I've added it in
doc/source/tune/api/under thecorresponding
.rstfile.