-
Notifications
You must be signed in to change notification settings - Fork 549
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerabilities Corrected: Tar Slip and Path Traversal #90
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the proposed changes !
I have a few remarks, in particular trying to achieve the same features with minimal changes to the code of hande_root
.
async def handle_root(_): | ||
return web.FileResponse(os.path.join(static_path, "index.html")) | ||
# Resolve the static path to an absolute path | ||
static_path = Path(static_path).resolve() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the typer will complain with this. I see you didn't run pre-commit hooks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log("error", f"The provided static path is not a valid directory: {static_path}") | ||
sys.exit(1) | ||
|
||
# Optional: Define a base directory to restrict static content |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do not want to have features that are based on uncommented lines of code. Could you remove this block?
# log("error", "Attempt to access a directory outside the allowed base directory.") | ||
# sys.exit(1) | ||
|
||
async def handle_root(_): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we do not pretend to be resilient to a wrongly formed static
, I think I would rather have a mucher simpler implementation, closer to the original, simply adding before the serving:
assert (Path(static_path) / 'index.html').is_file(), "index.html missing in static folder."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2 similar comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Closing this as no update over the last month. |
Checklist
cargo check
,cargo clippy
,cargo test
.PR Description
I, ThewsyRum, confirm that I have read and understood the terms of the CLA of Kyutai-labs, as outlined in the repository's CONTRIBUTING.md, and I agree to be bound by these terms.
Previously, calling extractall to unpack files from a tar archive didn't properly check the file paths, which could allow files to be extracted outside the intended directory.
tar.extractall(path=dist_tgz.parent)
Input from a command line argument is passed directly to aiohttp.web.FileResponse as a path. This could create a Path Traversal vulnerability, enabling an attacker to read arbitrary files on the server.
return web.FileResponse(os.path.join(static_path, "index.html"))