Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use commonpath rather than common prefix for more secure access #7901

Merged
merged 2 commits into from Jan 5, 2024
Merged

Use commonpath rather than common prefix for more secure access #7901

merged 2 commits into from Jan 5, 2024

Conversation

kmcgrady
Copy link
Collaborator

@kmcgrady kmcgrady commented Jan 4, 2024
edited

Describe your changes

We created a change that ensures users cannot access file contents outside of custom components folders which leverages os.path.commonprefix. This works great except in the event where there exists a folder that share a same prefix (/foo/bar/baz and /foo/bar/baz_qux). commonpath ensures we the path is the exact same.

GitHub Issue Link (if applicable)

Testing Plan

There's a unit test that covers this specific use case.

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

kmcgrady
kmcgrady commented Jan 4, 2024
View reviewed changes
lib/tests/streamlit/web/server/component_request_handler_test.py
@@ -21,7 +21,7 @@
from streamlit.web.server import ComponentRequestHandler

URL = "http://not.a.real.url:3001"
PATH = "not/a/real/path"
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

commonpath will error if comparing absolute and relative paths. Both paths will always be relative, so I want the path in the test to be absolute.

@kmcgrady kmcgrady merged commit bd0a899 into develop Jan 5, 2024
47 of 48 checks passed
@kmcgrady kmcgrady deleted the fix/component-path branch January 5, 2024 18:40
zyxue pushed a commit to zyxue/streamlit that referenced this pull request Apr 16, 2024
@kmcgrady @zyxue
Use commonpath rather than common prefix for more secure access (stre…
6c9294d 
…amlit#7901)

* Use commonpath rather than common prefix for more secure access

* Update Static File Handler
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kajarenc kajarenc kajarenc approved these changes

Assignees
No one assigned
Labels
change:bugfix impact:users security-assessment-completed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kmcgrady @kajarenc