Skip to content

fix: FileProvider.validate() leaked files outside root #4474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 14, 2025
Merged

fix: FileProvider.validate() leaked files outside root #4474

merged 1 commit into from
Oct 14, 2025

Conversation

@jholecek-rh
Copy link
Contributor

All Pull Requests:

Check all that apply:

  • Have you followed the guidelines in our Contributing document, including the instructions about commit messages?
  • No Sensitive Data in this change?
  • Is this PR to correct an issue?
  • Is this PR an enhancement?

Complete Description of Additions/Changes:

Fixes two issues and adds two improvements:

  • FileProvider would read files outside the root if the root were a prefix of the file path string-wise. Consider a root path /tmp/sample/root and a relative path ../root.txt, resulting in reading a file /tmp/sample/root.txt.

  • The "inside root" check was performed after checking if file existed. This would expose information about files outside the root through the exception. While an exploit would be difficult (if possible at all), it is better to fix this weakness anyway.

  • The exception type is changed from the most generic Exception to ValueError to make it easier to distinguish it from ContentException that is raised in other cases.

  • The "/" literal in path operations is changed to os.sep to improve portability.

@codecov-commenter
Copy link

codecov-commenter commented Jun 5, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 81.81818% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.03%. Comparing base (6a819a7) to head (1bb158d).

Files with missing lines Patch % Lines
insights/core/spec_factory.py 81.81% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #4474   +/-   ##
=======================================
  Coverage   89.03%   89.03%           
=======================================
  Files         722      722           
  Lines       33311    33316    +5     
  Branches     4940     4941    +1     
=======================================
+ Hits        29659    29664    +5     
  Misses       2922     2922           
  Partials      730      730
Flag Coverage Δ
unittests 89.02% <81.81%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

xiangce
xiangce reviewed Jun 24, 2025
View reviewed changes
@xiangce xiangce added the data processing Changes that would impact the data processing/analyzing label Jul 28, 2025
xiangce
xiangce approved these changes Oct 8, 2025
View reviewed changes
Copy link
Contributor

@xiangce xiangce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per our F2F discussion, this PR is ready to merge. @jholecek-rh - please rebase it firstly and open another PR to the 3.0_egg branch for the same change. Thanks.

@xiangce xiangce added RPM RPM package related only. CORE Core Framework related and removed data processing Changes that would impact the data processing/analyzing labels Oct 8, 2025
@jholecek-rh
fix: FileProvider.validate() leaked files outside root
1bb158d 
Fixes two issues and adds two improvements:

* FileProvider would read files outside the root if the root were
  a prefix of the file path string-wise. Consider a root path
  `/tmp/sample/root` and a relative path `../root.txt`, resulting in
  reading a file `/tmp/sample/root.txt`.

* The "inside root" check was performed after checking if file existed.
  This would expose information about files outside the root through the
  exception. While an exploit would be difficult (if possible at all),
  it is better to fix this weakness anyway.

* The exception type is changed from the most generic `Exception` to
  `ValueError` to make it easier to distinguish it from
  `ContentException` that is raised in other cases.

* The `"/"` literal in path operations is changed to `os.sep` to improve
  portability.

Signed-off-by: Jan Holeček <71874510+jholecek-rh@users.noreply.github.com>
@jholecek-rh jholecek-rh mentioned this pull request Oct 8, 2025
Merged
1 task
@jholecek-rh
Copy link
Contributor Author

@xiangce Both done. The DCO check is failing on the other PR but I think it is from a previous version of the PR which I created against master by mistake. I didn't find a way to restart the check. This new process with two PRs for every change seems very labor-intensive and error-prone.

@xiangce xiangce merged commit 0aa5367 into RedHatInsights:master Oct 14, 2025
22 of 25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xiangce xiangce xiangce approved these changes

Assignees

No one assigned

Labels

CORE Core Framework related RPM RPM package related only.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jholecek-rh @codecov-commenter @xiangce