fix: CVE, do not let the cdn host files above the base cache dir

maartenbreddels · maartenbreddels · commit 391e2124a502 · 2024-07-10T15:02:48.000+02:00
This allowed arbitrary files to be read from the server, and could be
used to read files from the server that are not intended to be served.
diff --git a/solara/server/cdn_helper.py b/solara/server/cdn_helper.py
@@ -22,7 +22,14 @@ def put_in_cache(base_cache_dir: pathlib.Path, path, data: bytes):
 
 
 def get_from_cache(base_cache_dir: pathlib.Path, path):
-    cache_path = base_cache_dir / path
+    cache_path = (base_cache_dir / path).resolve()
+    # make sure cache_path is a subdirectory of base_cache_dir
+    # so we don't accidentally read files from the parent directory
+    # which is a security risk
+    if not str(cache_path).startswith(str(base_cache_dir.resolve())):
+        logger.warning("Trying to read from outside of cache directory: %s", cache_path)
+        raise PermissionError("Trying to read from outside of cache directory")
+
     try:
         logger.info("Opening cache file: %s", cache_path)
         return cache_path.read_bytes()
diff --git a/tests/unit/cdn_helper_test.py b/tests/unit/cdn_helper_test.py
@@ -2,6 +2,9 @@
 import os
 from pathlib import Path
 
+from pytest import TempPathFactory
+import pytest
+
 from solara.server.cdn_helper import get_cdn_url, get_data, get_from_cache, put_in_cache, get_path
 
 
@@ -68,6 +71,26 @@ def test_get_data(tmp_path_factory):
     assert data == b"test_cached_2"
 
 
+def test_get_data_secure(tmp_path_factory: TempPathFactory):
+    # we should never be able to get data from the parent directory
+
+    root_dir = tmp_path_factory.mktemp("root")
+    base_cache_dir = root_dir / "cdn"
+    base_cache_dir.mkdir()
+
+    (root_dir / "secret").write_bytes(b"not allowed")
+
+    project_dir = base_cache_dir / "project"
+    project_dir.mkdir()
+
+    (project_dir / "file").write_bytes(b"a")
+
+    data = get_data(base_cache_dir, "project/file")
+    assert data == b"a"
+    with pytest.raises(PermissionError):
+        get_data(base_cache_dir, "project/../../secret")
+
+
 def test_redirect(tmp_path_factory):
     base_cache_dir = tmp_path_factory.mktemp("cdn")
 
