Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow StaticFiles follow symlinks #1683

Merged
merged 12 commits into from
Feb 4, 2023
Merged

Allow StaticFiles follow symlinks #1683

merged 12 commits into from
Feb 4, 2023

Conversation

aminalaee
Copy link
Member

@aminalaee aminalaee commented Jun 10, 2022
edited
Loading

After the previous attempt #1377 , this PR will allow StaticFiles to follow symlinks outside the directory.

Fixes #1083

Thanks to @Kludex and @m1ckey

@aminalaee aminalaee mentioned this pull request Jun 10, 2022
Closed
@aminalaee aminalaee marked this pull request as draft June 10, 2022 13:39
@aminalaee
Allow StaticFiles follow symlinks
4c6c59e 
Add test to prevent path traversal

Update requirements.txt

Update tests
@aminalaee aminalaee marked this pull request as ready for review June 10, 2022 14:30
aminalaee
aminalaee commented Jun 10, 2022
View reviewed changes
starlette/staticfiles.py
@@ -161,7 +161,7 @@ def lookup_path(
self, path: str
) -> typing.Tuple[str, typing.Optional[os.stat_result]]:
for directory in self.all_directories:
full_path = os.path.realpath(os.path.join(directory, path))
full_path = os.path.abspath(os.path.join(directory, path))
directory = os.path.realpath(directory)
if os.path.commonprefix([full_path, directory]) != directory:
# Don't allow misbehaving clients to break out of the static files
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I understand os.path.realpath will follow symbolic links and here we will stop it from going outside of statics directory.
Instead we can build the path with abspath and not follow symlinks (yet) and prevent breaking outside of directory and if file is a symlink it will do os.stat and by default it will follow symlinks.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not change line 165 realpath to abspath? If the directory is a symbolic link, line 166 will fail.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test with the scenario @scientificRat mentioned?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, I'll take a look.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if I got the point correctly, but I added the tests for this, but I think this change is not needed.

@aminalaee aminalaee requested a review from a team June 10, 2022 14:38
@Kludex Kludex modified the milestones: Version 0.21.0, Version 0.22.0 Jun 10, 2022
@aminalaee
Allow StaticFiles follow symlinks
a799da7 
Add test to prevent path traversal

Update requirements.txt

Update tests
@Kludex Kludex added the hold Don't merge it label Jun 11, 2022
@Kludex Kludex modified the milestones: Version 0.22.0, Version 0.21.0 Jun 30, 2022
ischaojie
ischaojie reviewed Jul 28, 2022
View reviewed changes
requirements.txt Outdated Show resolved Hide resolved
@Kludex Kludex modified the milestones: Version 0.21.0, Version 0.22.0 Sep 24, 2022
@Kludex Kludex modified the milestones: Version 0.22.0, Version 0.23.0 Nov 20, 2022
@Kludex Kludex modified the milestones: Version 0.23.0, Version 0.24.0 Dec 8, 2022
@Kludex Kludex removed the hold Don't merge it label Dec 12, 2022
Kludex
Kludex requested changes Dec 12, 2022
View reviewed changes
tests/test_staticfiles.py Outdated Show resolved Hide resolved
starlette/staticfiles.py
@@ -161,7 +161,7 @@ def lookup_path(
self, path: str
) -> typing.Tuple[str, typing.Optional[os.stat_result]]:
for directory in self.all_directories:
full_path = os.path.realpath(os.path.join(directory, path))
full_path = os.path.abspath(os.path.join(directory, path))
directory = os.path.realpath(directory)
if os.path.commonprefix([full_path, directory]) != directory:
# Don't allow misbehaving clients to break out of the static files
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test with the scenario @scientificRat mentioned?

@Kludex Kludex mentioned this pull request Dec 12, 2022
Merged
7 tasks
Kludex
Kludex requested changes Dec 17, 2022
View reviewed changes
Copy link
Member

@Kludex Kludex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still not 100% sure about this. 😞

I think I need to write a small summary about this, and what are the alternatives if we don't do it. 👀

tests/test_staticfiles.py Outdated Show resolved Hide resolved
@Kludex Kludex added the staticfiles Static file serving label Dec 17, 2022
@Kludex Kludex modified the milestones: Version 0.24.0, Version 0.25.0 Dec 17, 2022
Kludex
Kludex reviewed Feb 4, 2023
View reviewed changes
tests/test_staticfiles.py Outdated Show resolved Hide resolved
@Kludex
Copy link
Member

Kludex commented Feb 4, 2023

My previous concern on this PR was:

  • If a developer uses the same directory as the StaticFiles to upload files, we can have a scenario on which a symlink is uploaded there, and the machine can be exploited.

Should we be concerned about it? Is this feature wanted that bad? 🤔

@Kludex
Copy link
Member

Kludex commented Feb 4, 2023
edited
Loading

Can we make this feature opt-in i.e. add follow_symlink on the StaticFiles?

Let me know what you think @aminalaee

@Kludex Kludex modified the milestones: Version 0.25.0, Version 0.24.0 Feb 4, 2023
@aminalaee
Copy link
Member Author

Can we make this feature opt-in i.e. add follow_symlink on the StaticFiles?

Yeah that works, I will update the PR.

@Kludex
Copy link
Member

Kludex commented Feb 4, 2023

Thanks

@Kludex
Copy link
Member

Kludex commented Feb 4, 2023

I guess only docs are missing, and we are ready here 👀

@aminalaee
Copy link
Member Author

@Kludex I just updated the docs. Let me know what you think.

@Kludex
Copy link
Member

Kludex commented Feb 4, 2023

Thanks @aminalaee :)

Check your Twitter please.

@Kludex Kludex merged commit ea2e794 into master Feb 4, 2023
@Kludex Kludex deleted the statics-follow-symlinks branch February 4, 2023 17:22
aminalaee added a commit that referenced this pull request Feb 13, 2023
@aminalaee @Kludex
Allow StaticFiles follow symlinks (#1683)
d017340 
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
@sync-by-unito sync-by-unito bot mentioned this pull request Aug 28, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scientificRat scientificRat scientificRat left review comments

@ischaojie ischaojie ischaojie left review comments

@yezz123 yezz123 yezz123 approved these changes

@Kludex Kludex Kludex approved these changes

Assignees
No one assigned
Labels
staticfiles Static file serving
Projects
None yet
Milestone
Version 0.24.0
Development

Successfully merging this pull request may close these issues.

StaticFiles middleware doesn't follow symlinks
5 participants
@aminalaee @Kludex @ischaojie @scientificRat @yezz123