Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Prevent vfolder request-download API from accessing host filesystem #3241

Merged
merged 2 commits into from
Dec 13, 2024
Merged

fix: Prevent vfolder request-download API from accessing host filesystem #3241

merged 2 commits into from
Dec 13, 2024

Conversation

jopemachine
Copy link
Member

@jopemachine jopemachine commented Dec 11, 2024
edited
Loading

Fixes https://github.com/lablup/giftbox/issues/786.

The existing VFolder request-download API could download files outside of the vfolder.
For example, using the vfolder CLI command that utilizes this API, we can download host files as shown below.

❯ ./backend.ai vfolder download test ../some_host_file -b vfolder_name
Downloading to /home/jopemachine/backend.ai/vfolder_name/../some_host_file ...
0.00bytes [00:00, ?bytes/s]
✓ Done.

This is clearly a security vulnerability, as it can be exploited, for example, as shown in issue 786.
After applying the PR, passing a path outside the VFolder will result in a 404 error.

Thanks to @fregataa for resolving this issue.

Checklist: (if applicable)

  • Milestone metadata specifying the target backport version
  • Mention to the original issue

@github-actions github-actions bot added comp:storage-proxy Related to Storage proxy component size:XS ~10 LoC labels Dec 11, 2024
@jopemachine jopemachine added this to the 24.03 milestone Dec 11, 2024
@jopemachine jopemachine added the type:bug Reports about that are not working label Dec 11, 2024
@jopemachine jopemachine marked this pull request as ready for review December 11, 2024 06:25
@jopemachine jopemachine force-pushed the fix/vfolder-host-file-download-vulnerability branch from 5f95026 to 6efb3f0 Compare December 13, 2024 00:46
@jopemachine jopemachine requested a review from achimnol December 13, 2024 03:33
@Yaminyam Yaminyam requested a review from Copilot December 13, 2024 04:37
Copilot
Copilot AI reviewed Dec 13, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
HyeockJinKim
HyeockJinKim approved these changes Dec 13, 2024
View reviewed changes
Copy link
Collaborator

@HyeockJinKim HyeockJinKim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@HyeockJinKim HyeockJinKim added this pull request to the merge queue Dec 13, 2024
Merged via the queue into main with commit c1af037 Dec 13, 2024
20 checks passed
@HyeockJinKim HyeockJinKim deleted the fix/vfolder-host-file-download-vulnerability branch December 13, 2024 05:16
lablup-octodog pushed a commit that referenced this pull request Dec 13, 2024
@jopemachine
fix: Prevent vfolder request-download API from accessing host files…
8814005 
…ystem (#3241)

Backported-from: main (24.12)
Backported-to: 24.03
Backport-of: 3241
@lablup-octodog lablup-octodog mentioned this pull request Dec 13, 2024
Merged
lablup-octodog pushed a commit that referenced this pull request Dec 13, 2024
@jopemachine
fix: Prevent vfolder request-download API from accessing host files…
b0fe1cf 
…ystem (#3241)

Backported-from: main (24.12)
Backported-to: 24.09
Backport-of: 3241
@lablup-octodog lablup-octodog mentioned this pull request Dec 13, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Dec 13, 2024
@lablup-octodog @jopemachine
fix: Prevent vfolder request-download API from accessing host files…
c6523f9 
…ystem (#3241) (#3245)

Co-authored-by: Gyubong Lee <[email protected]>
github-merge-queue bot pushed a commit that referenced this pull request Dec 13, 2024
@lablup-octodog @jopemachine
fix: Prevent vfolder request-download API from accessing host files…
d471ffd 
…ystem (#3241) (#3246)

Co-authored-by: Gyubong Lee <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@HyeockJinKim HyeockJinKim HyeockJinKim approved these changes

@fregataa fregataa Awaiting requested review from fregataa

@achimnol achimnol Awaiting requested review from achimnol

Assignees

@jopemachine jopemachine

Labels
comp:storage-proxy Related to Storage proxy component size:XS ~10 LoC type:bug Reports about that are not working
Projects
None yet
Milestone
24.03
Development

Successfully merging this pull request may close these issues.
2 participants
@jopemachine @HyeockJinKim