Skip to content

Allow StaticFiles follow symlinks #1683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Kludex merged 12 commits into from
Feb 4, 2023
Merged

Allow StaticFiles follow symlinks #1683

Kludex merged 12 commits into from
Feb 4, 2023

Conversation

@aminalaee
Copy link
Contributor

@aminalaee aminalaee commented Jun 10, 2022
edited
Loading

After the previous attempt #1377 , this PR will allow StaticFiles to follow symlinks outside the directory.

Fixes #1083

Thanks to @Kludex and @m1ckey

@aminalaee aminalaee mentioned this pull request Jun 10, 2022
Closed
@aminalaee aminalaee marked this pull request as draft June 10, 2022 13:39
@aminalaee
Allow StaticFiles follow symlinks
4c6c59e 
Add test to prevent path traversal

Update requirements.txt

Update tests
@aminalaee aminalaee force-pushed the statics-follow-symlinks branch from 9e4d72a to 4c6c59e Compare June 10, 2022 14:28
@aminalaee aminalaee marked this pull request as ready for review June 10, 2022 14:30
aminalaee
aminalaee commented Jun 10, 2022
View reviewed changes
starlette/staticfiles.py
full_path = os.path.abspath(os.path.join(directory, path))
directory = os.path.realpath(directory)
if os.path.commonprefix([full_path, directory]) != directory:
# Don't allow misbehaving clients to break out of the static files
Copy link
Contributor Author

@aminalaee aminalaee Jun 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I understand os.path.realpath will follow symbolic links and here we will stop it from going outside of statics directory.
Instead we can build the path with abspath and not follow symlinks (yet) and prevent breaking outside of directory and if file is a symlink it will do os.stat and by default it will follow symlinks.

Copy link

@scientificRat scientificRat Sep 23, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not change line 165 realpath to abspath? If the directory is a symbolic link, line 166 will fail.

Copy link
Owner

@Kludex Kludex Dec 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test with the scenario @scientificRat mentioned?

Copy link
Contributor Author

@aminalaee aminalaee Dec 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, I'll take a look.

Copy link
Contributor Author

@aminalaee aminalaee Dec 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if I got the point correctly, but I added the tests for this, but I think this change is not needed.

@aminalaee aminalaee requested a review from a team June 10, 2022 14:38
@Kludex Kludex modified the milestones: Version 0.21.0, Version 0.22.0 Jun 10, 2022
@aminalaee
Allow StaticFiles follow symlinks
a799da7 
Add test to prevent path traversal

Update requirements.txt

Update tests
@aminalaee aminalaee force-pushed the statics-follow-symlinks branch from 4c6c59e to a799da7 Compare June 11, 2022 08:02
@Kludex Kludex added the hold Don't merge it label Jun 11, 2022
@Kludex Kludex modified the milestones: Version 0.22.0, Version 0.21.0 Jun 30, 2022
ischaojie
ischaojie reviewed Jul 28, 2022
View reviewed changes
@Kludex Kludex modified the milestones: Version 0.21.0, Version 0.22.0 Sep 24, 2022
@Kludex Kludex modified the milestones: Version 0.22.0, Version 0.23.0 Nov 20, 2022
@Kludex Kludex modified the milestones: Version 0.23.0, Version 0.24.0 Dec 8, 2022
@Kludex Kludex removed the hold Don't merge it label Dec 12, 2022
Kludex
Kludex requested changes Dec 12, 2022
View reviewed changes
starlette/staticfiles.py
full_path = os.path.abspath(os.path.join(directory, path))
directory = os.path.realpath(directory)
if os.path.commonprefix([full_path, directory]) != directory:
# Don't allow misbehaving clients to break out of the static files
Copy link
Owner

@Kludex Kludex Dec 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test with the scenario @scientificRat mentioned?

@Kludex Kludex mentioned this pull request Dec 12, 2022
Merged
7 tasks
@aminalaee aminalaee force-pushed the statics-follow-symlinks branch from a54b472 to 9c7eab5 Compare December 12, 2022 10:39
@aminalaee aminalaee force-pushed the statics-follow-symlinks branch from 9c7eab5 to 140edb6 Compare December 12, 2022 10:39
@aminalaee aminalaee requested a review from Kludex December 12, 2022 10:48
Kludex
Kludex requested changes Dec 17, 2022
View reviewed changes
Copy link
Owner

@Kludex Kludex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still not 100% sure about this. 😞

I think I need to write a small summary about this, and what are the alternatives if we don't do it. 👀

@Kludex Kludex added the staticfiles Static file serving label Dec 17, 2022
@Kludex Kludex modified the milestones: Version 0.24.0, Version 0.25.0 Dec 17, 2022
Kludex
Kludex reviewed Feb 4, 2023
View reviewed changes
@Kludex
Copy link
Owner

Kludex commented Feb 4, 2023

My previous concern on this PR was:

  • If a developer uses the same directory as the StaticFiles to upload files, we can have a scenario on which a symlink is uploaded there, and the machine can be exploited.

Should we be concerned about it? Is this feature wanted that bad? 🤔

@Kludex
Copy link
Owner

Kludex commented Feb 4, 2023
edited
Loading

Can we make this feature opt-in i.e. add follow_symlink on the StaticFiles?

Let me know what you think @aminalaee

@Kludex Kludex modified the milestones: Version 0.25.0, Version 0.24.0 Feb 4, 2023
@aminalaee
Copy link
Contributor Author

aminalaee commented Feb 4, 2023

Can we make this feature opt-in i.e. add follow_symlink on the StaticFiles?

Yeah that works, I will update the PR.

@Kludex
Copy link
Owner

Kludex commented Feb 4, 2023

Thanks

@Kludex
Copy link
Owner

Kludex commented Feb 4, 2023

I guess only docs are missing, and we are ready here 👀

@aminalaee
Copy link
Contributor Author

aminalaee commented Feb 4, 2023

@Kludex I just updated the docs. Let me know what you think.

Kludex
Kludex reviewed Feb 4, 2023
View reviewed changes
@aminalaee aminalaee force-pushed the statics-follow-symlinks branch from f689dc4 to e3e85db Compare February 4, 2023 17:14
@Kludex
Copy link
Owner

Kludex commented Feb 4, 2023

Thanks @aminalaee :)

Check your Twitter please.

@Kludex Kludex merged commit ea2e794 into master Feb 4, 2023
@Kludex Kludex deleted the statics-follow-symlinks branch February 4, 2023 17:22
aminalaee added a commit that referenced this pull request Feb 13, 2023
@aminalaee @Kludex
Allow StaticFiles follow symlinks (#1683)
d017340 
Co-authored-by: Marcelo Trylesinski <[email protected]>
@sync-by-unito sync-by-unito bot mentioned this pull request Aug 28, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Kludex approved these changes

+3 more reviewers

@ischaojie ischaojie ischaojie left review comments

@scientificRat scientificRat scientificRat left review comments

@yezz123 yezz123 yezz123 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

staticfiles Static file serving

Projects

None yet

Milestone

Version 0.24.0

Development

Successfully merging this pull request may close these issues.

StaticFiles middleware doesn't follow symlinks

6 participants

@aminalaee @Kludex @ischaojie @scientificRat @yezz123