container: Copy files before mounting them

Copy input files in a temporary dir before mounting them, thereby changing their permissions, without affecting the original files. This way, we can avoid cases where a file is accessible to the user only due to a supplemental user group, which does not work for containers. Fixes #157 Fixes #260 Fixes #335
freedomofpress · Feb 16, 2023 · 2042591 · 2042591
1 parent ea73f5d
commit 2042591
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py
@@ -220,17 +220,21 @@ def _convert(
  # Create a temporary directory inside the cache directory for this run. Then,
  # create some subdirectories for the various stages of the file conversion:
  #
+ # * unsafe: Where the input file will be copied
  # * pixel: Where the RGB data will be stored
  # * safe: Where the final PDF file will be stored
  with tempfile.TemporaryDirectory(dir=get_tmp_dir()) as t:
  tmp_dir = pathlib.Path(t)
+ unsafe_dir = tmp_dir / "unsafe"
+ unsafe_dir.mkdir()
  pixel_dir = tmp_dir / "pixels"
  pixel_dir.mkdir()
  safe_dir = tmp_dir / "safe"
  safe_dir.mkdir()
 
  return self._convert_with_tmpdirs(
  document=document,
+ unsafe_dir=unsafe_dir,
  pixel_dir=pixel_dir,
  safe_dir=safe_dir,
  ocr_lang=ocr_lang,
@@ -240,6 +244,7 @@ def _convert(
  def _convert_with_tmpdirs(
  self,
  document: Document,
+ unsafe_dir: pathlib.Path,
  pixel_dir: pathlib.Path,
  safe_dir: pathlib.Path,
  ocr_lang: Optional[str],
@@ -252,6 +257,9 @@ def _convert_with_tmpdirs(
  else:
  ocr = "0"
 
+ copied_file = unsafe_dir / "input_file"
+ shutil.copyfile(f"{document.input_filename}", copied_file)
+
  # Convert document to pixels
  command = [
  "/usr/bin/python3",
@@ -260,7 +268,7 @@ def _convert_with_tmpdirs(
  ]
  extra_args = [
  "-v",
- f"{document.input_filename}:/tmp/input_file:Z",
+ f"{copied_file}:/tmp/input_file:Z",
  "-v",
  f"{pixel_dir}:/dangerzone:Z",
  "-e",