Restricting folder and files user can access from frontend #405
Labels
enhancement
New feature or request
Comments
|
Just seeing /etc/passwd is already kind of scary  ̄︶ ̄ We should definitely limit the f parameter to be subfolder of SQLLINEAGE_DIRECTORY. Thanks for reporting this. |
|
No problem. You also should ban using .. in the path, just to avoid path traversal completely |
reata
changed the title
|
We will return 403 when frontend sends request quering folder outside parent path. Everything is calculated based on absolute path. For user hosted sqllineage, this will be fine. For demo site, it's not hosted by sqllineage's webapp though. And it's in a standalone docker image without sensitive info. I'll stay as it is for the moment. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://reata.github.io/sqllineage/?f=/etc/passwd should not display the whole /etc tree. Contents are not displayed, however :)
Looks a bit like a security issue
The text was updated successfully, but these errors were encountered: