Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block /file= filepaths that could expose credentials on Windows #7444

Merged
merged 5 commits into from
Feb 15, 2024
Merged

Block /file= filepaths that could expose credentials on Windows #7444

merged 5 commits into from
Feb 15, 2024
+17 −19

Conversation

abidlabs
Copy link
Member

No description provided.

@abidlabs
fix for windowss
Loading
Loading status checks…
dabe97d
@abidlabs
path
Loading
Loading status checks…
c768705
@gradio-pr-bot
Copy link
Collaborator

gradio-pr-bot commented Feb 15, 2024
edited
Loading

🪼 branch checks and previews

Name Status URL
Spaces ready! Spaces preview
Website ready! Website preview
🦄 Changes detected! Details

Install Gradio from this PR

pip install https://gradio-builds.s3.amazonaws.com/24bd0909a1904ebdb756087ed4f5ae8c47212477/gradio-4.19.0-py3-none-any.whl

Install Gradio Python Client from this PR

pip install "gradio-client @ git+https://github.com/gradio-app/gradio@24bd0909a1904ebdb756087ed4f5ae8c47212477#subdirectory=client/python"

@gradio-pr-bot
add changeset
Loading
Loading status checks…
0a73a18
@gradio-pr-bot
Copy link
Collaborator

gradio-pr-bot commented Feb 15, 2024
edited
Loading

🦄 change detected

This Pull Request includes changes to the following packages.

Package Version
gradio minor
  • Maintainers can select this checkbox to manually select packages to update.

With the following changelog entry.

Block /file= filepaths that could expose credentials on Windows

Maintainers or the PR author can modify the PR title to modify this entry.

Something isn't right?
  • Maintainers can change the version label to modify the version bump.
  • If the bot has failed to detect any changes, or if this pull request needs to update multiple packages to different versions or requires a more comprehensive changelog entry, maintainers can update the changelog file directly.

Sorry, something went wrong.

abidlabs
abidlabs commented Feb 15, 2024
View reviewed changes
test/test_routes.py
@@ -720,25 +726,6 @@ def test_orjson_serialization():
demo.close()


def test_file_route_does_not_allow_dot_paths(tmp_path):
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need a dedicated test suite for this since this is no longer a special case (we simply block all files in the working directory)

@abidlabs
changes
Loading
Loading status checks…
24bd090
freddyaboulton
freddyaboulton reviewed Feb 15, 2024
View reviewed changes
gradio/routes.py
@@ -428,12 +428,18 @@ async def file(path_or_url: str, request: fastapi.Request):
return RedirectResponse(
url=path_or_url, status_code=status.HTTP_302_FOUND
)

invalid_prefixes = ["//", "file://", "ftp://", "sftp://", "smb://"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe checking whether or not abs_path exists will also fix the issue and it doesn't involve hardcoding this list of prefixes?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I'm not sure totally sure but it seems like any file operation on Windows could leak credentials

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yikes

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we care about ipfs urls here too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably so I don't know that much about them, but let me rewrite them to prevent any protocols except for http/https

freddyaboulton
freddyaboulton approved these changes Feb 15, 2024
View reviewed changes
Copy link
Collaborator

@freddyaboulton freddyaboulton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good @abidlabs !

@abidlabs abidlabs merged commit 4faf8a7 into main Feb 15, 2024
7 checks passed
@abidlabs abidlabs deleted the windows branch February 15, 2024 23:48
@pngwn pngwn mentioned this pull request Feb 15, 2024
Merged
@abidlabs abidlabs mentioned this pull request Feb 16, 2024
Merged
abidlabs added a commit that referenced this pull request Feb 16, 2024
@abidlabs @gradio-pr-bot
Make fix in #7444 (Block /file= filepaths that could expose credentia…
ba747ad 
…ls on Windows) more general (#7453)

* test routes

* chagne

* add changeset

* add changeset

* type fixes

* fix typing issues

* typed dict

---------

Co-authored-by: gradio-pr-bot <gradio-pr-bot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@freddyaboulton freddyaboulton

@aliabid94 aliabid94

@aliabd aliabd

@dawoodkhan82 dawoodkhan82

@pngwn pngwn

@whitphx whitphx

@hysts hysts

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@abidlabs @gradio-pr-bot @pngwn @freddyaboulton