Skip to content

Commit

Permalink
Fixed security issue where the user could access unathorized files by…
Browse files Browse the repository at this point in the history 
… inputting a relative path into the API
  • Loading branch information
Pablo Rodríguez Flores committed Jan 9, 2024
1 parent 7c57547 commit 224a938
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
7 changes: 5 additions & 2 deletions resources/src/server/rest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,11 @@ def calculate():
else:
try:
decoded_model = base64.b64decode(model).decode('utf-8')
model_path = os.path.join(self.ai_path, f"{decoded_model}.keras")
if not os.path.isfile(model_path):
model_path = os.path.normpath(os.path.join(self.ai_path, f"{decoded_model}.keras"))
if not model_path.startswith(os.path.normpath(self.ai_path)):
logger.logger.error(f"Attempted unauthorized file access: {decoded_model}")
model = 'default'

Check warning on line 111 in resources/src/server/rest.py

View check run for this annotation

Codecov / codecov/patch

resources/src/server/rest.py#L110-L111 

Added lines #L110 - L111 were not covered by tests
elif not os.path.isfile(model_path):
logger.logger.error(f"Model {decoded_model} does not exist")
model = 'default'
else:
Expand Down
12 changes: 12 additions & 0 deletions resources/tests/test_rest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,18 @@ def test_calculate_endpoint_invalid_model(self, mock_isfile, mock_execute_model,
self.assertEqual(response.status_code, 200)
self.assertEqual(response.get_json(), self.output_data)

@patch('druid.client.DruidClient.execute_query')
@patch('ai.shallow_outliers.ShallowOutliers.execute_prediction_model')
@patch('os.path.isfile')
def test_calculate_endpoint_unathorized_model_access(self, mock_isfile, mock_execute_model, mock_query):
mock_execute_model.return_value = self.output_data
mock_query.return_value = {}
mock_isfile.return_value = False
data = {'model':'Li90ZXN0', 'query':'eyJhc2RmIjoiYXNkZiJ9'}
with self.api_server.app.test_client().post('/api/v1/outliers', data=data) as response:
self.assertEqual(response.status_code, 200)
self.assertEqual(response.get_json(), self.output_data)

@patch('druid.client.DruidClient.execute_query')
@patch('ai.shallow_outliers.ShallowOutliers.execute_prediction_model')
@patch('os.path.isfile')
Expand Down

0 comments on commit 224a938

Please sign in to comment.