security(weave): Fixing path traversal in send_local_file (#1657)

* fixing path traversal * lint --------- Co-authored-by: Josiah Lee <josiahwlee@gmail.com> Co-authored-by: jwlee64 <josiah.lee@wandb.com>
wandb · Jul 2, 2024 · f43d5fb · f43d5fb
1 parent c28d8d5
commit f43d5fb
Showing 1 changed file with 17 additions and 11 deletions.
diff --git a/weave/weave_server.py b/weave/weave_server.py
@@ -396,19 +396,25 @@ def execute_v2():
 
 @blueprint.route("/__weave/file/<path:path>")
 def send_local_file(path):
- # path is given relative to the FS root. check to see that path is a subdirectory of the
- # local artifacts path. if not, return 403. then if there is a cache scope function defined
- # call it to make sure we have access to the path
- abspath = (
- "/" / pathlib.Path(path)
- ) # add preceding slash as werkzeug strips this by default and it is reappended below in send_from_directory
  try:
- local_artifacts_path = pathlib.Path(filesystem.get_filesystem_dir()).absolute()
- except errors.WeaveAccessDeniedError:
- abort(403)
- if local_artifacts_path not in list(abspath.parents):
+ # Retrieve and normalize the local artifacts path
+ local_artifacts_path = pathlib.Path(filesystem.get_filesystem_dir()).resolve(
+ strict=True
+ )
+
+ # Construct the full absolute path of the requested file
+ requested_path = (local_artifacts_path / path).resolve(strict=True)
+
+ # Ensure the requested path is within the local artifacts directory
+ if not str(requested_path).startswith(str(local_artifacts_path)):
+ abort(403)
+
+ # Send the file from the directory
+ return send_from_directory(
+ local_artifacts_path, str(requested_path.relative_to(local_artifacts_path))
+ )
+ except (errors.WeaveAccessDeniedError, FileNotFoundError):
  abort(403)
- return send_from_directory("/", path)
 
 
 @blueprint.before_request