Merge pull request from GHSA-q874-g24w-4q9g

* added checks for hidden files and directories on FileManager Class

* added checks for hidden files and directories in api handlers

* updated error messages to not mention hidden files

* cleaned up issues flagged by pre-commit

jupyter_server/services/contents/filemanager.py

@@ -188,6 +188,12 @@ def _base_model(self, path):
  os_path = self._get_os_path(path)
  info = os.lstat(os_path)
 
+ four_o_four = "file or directory does not exist: %r" % path
+
+ if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
+ self.log.info("Refusing to serve hidden file or directory %r, via 404 Error", os_path)
+ raise web.HTTPError(404, four_o_four)
+
  try:
  # size of file
  size = info.st_size
@@ -365,11 +371,16 @@ def get(self, path, content=True, type=None, format=None):
  of the file or directory as well.
  """
  path = path.strip("/")
+ os_path = self._get_os_path(path)
+ four_o_four = "file or directory does not exist: %r" % path
 
  if not self.exists(path):
- raise web.HTTPError(404, "No such file or directory: %s" % path)
+ raise web.HTTPError(404, four_o_four)
+
+ if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
+ self.log.info("Refusing to serve hidden file or directory %r, via 404 Error", os_path)
+ raise web.HTTPError(404, four_o_four)
 
- os_path = self._get_os_path(path)
  if os.path.isdir(os_path):
  if type not in (None, "directory"):
  raise web.HTTPError(
@@ -389,7 +400,7 @@ def get(self, path, content=True, type=None, format=None):
  def _save_directory(self, os_path, model, path=""):
  """create a directory"""
  if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
- raise web.HTTPError(400, "Cannot create hidden directory %r" % os_path)
+ raise web.HTTPError(400, "Cannot create directory %r" % os_path)
  if not os.path.exists(os_path):
  with self.perm_to_403():
  os.mkdir(os_path)
@@ -410,6 +421,10 @@ def save(self, model, path=""):
  raise web.HTTPError(400, "No file content provided")
 
  os_path = self._get_os_path(path)
+
+ if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
+ raise web.HTTPError(400, f"Cannot create file or directory {os_path!r}")
+
  self.log.debug("Saving %s", os_path)
 
  validation_error: dict = {}
@@ -452,8 +467,13 @@ def delete_file(self, path):
  path = path.strip("/")
  os_path = self._get_os_path(path)
  rm = os.unlink
- if not os.path.exists(os_path):
- raise web.HTTPError(404, "File or directory does not exist: %s" % os_path)
+ four_o_four = "file or directory does not exist: %r" % path
+
+ if not self.exists(path):
+ raise web.HTTPError(404, four_o_four)
+
+ if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
+ raise web.HTTPError(400, f"Cannot delete file or directory {os_path!r}")
 
  def _check_trash(os_path):
  if sys.platform in {"win32", "darwin"}:
@@ -518,6 +538,11 @@ def rename_file(self, old_path, new_path):
  new_os_path = self._get_os_path(new_path)
  old_os_path = self._get_os_path(old_path)
 
+ if (
+ is_hidden(old_os_path, self.root_dir) or is_hidden(new_os_path, self.root_dir)
+ ) and not self.allow_hidden:
+ raise web.HTTPError(400, f"Cannot rename file or directory {old_os_path!r}")
+
  # Should we proceed with the move?
  if os.path.exists(new_os_path) and not samefile(old_os_path, new_os_path):
  raise web.HTTPError(409, "File already exists: %s" % new_path)

jupyter_server/services/contents/handlers.py

@@ -95,6 +95,8 @@ async def get(self, path=""):
  of the files and directories it contains.
  """
  path = path or ""
+ cm = self.contents_manager
+
  type = self.get_query_argument("type", default=None)
  if type not in {None, "directory", "file", "notebook"}:
  raise web.HTTPError(400, "Type %r is invalid" % type)
@@ -107,6 +109,9 @@ async def get(self, path=""):
  raise web.HTTPError(400, "Content %r is invalid" % content_str)
  content = int(content_str or "")
 
+ if await ensure_async(cm.is_hidden(path)) and not cm.allow_hidden:
+ raise web.HTTPError(404, f"file or directory {path!r} does not exist")
+
  model = await ensure_async(
  self.contents_manager.get(
  path=path,
@@ -126,6 +131,17 @@ async def patch(self, path=""):
  model = self.get_json_body()
  if model is None:
  raise web.HTTPError(400, "JSON body missing")
+
+ old_path = model.get("path")
+ if (
+ old_path
+ and (
+ await ensure_async(cm.is_hidden(path)) or await ensure_async(cm.is_hidden(old_path))
+ )
+ and not cm.allow_hidden
+ ):
+ raise web.HTTPError(400, f"Cannot rename file or directory {path!r}")
+
  model = await ensure_async(cm.update(model, path))
  validate_model(model, expect_content=False)
  self._finish_model(model)
@@ -191,6 +207,16 @@ async def post(self, path=""):
  raise web.HTTPError(400, "Cannot POST to files, use PUT instead.")
 
  model = self.get_json_body()
+ copy_from = model.get("copy_from")
+ if (
+ copy_from
+ and (
+ await ensure_async(cm.is_hidden(path))
+ or await ensure_async(cm.is_hidden(copy_from))
+ )
+ and not cm.allow_hidden
+ ):
+ raise web.HTTPError(400, f"Cannot copy file or directory {path!r}")
 
  if model is not None:
  copy_from = model.get("copy_from")
@@ -217,9 +243,17 @@ async def put(self, path=""):
  create a new empty notebook.
  """
  model = self.get_json_body()
+ cm = self.contents_manager
+
  if model:
  if model.get("copy_from"):
  raise web.HTTPError(400, "Cannot copy with PUT, only POST")
+ if (
+ (model.get("path") and await ensure_async(cm.is_hidden(model.get("path"))))
+ or await ensure_async(cm.is_hidden(path))
+ ) and not cm.allow_hidden:
+ raise web.HTTPError(400, f"Cannot create file or directory {path!r}")
+
  exists = await ensure_async(self.contents_manager.file_exists(path))
  if exists:
  await self._save(model, path)
@@ -233,6 +267,10 @@ async def put(self, path=""):
  async def delete(self, path=""):
  """delete a file in the given path"""
  cm = self.contents_manager
+
+ if await ensure_async(cm.is_hidden(path)) and not cm.allow_hidden:
+ raise web.HTTPError(400, f"Cannot delete file or directory {path!r}")
+
  self.log.warning("delete %s", path)
  await ensure_async(cm.delete(path))
  self.set_status(204)