fix: path traversal in logs endpoint (#18462)

r1b · web-flow · commit dbb064c2ddda · 2023-12-04T16:06:22.000-08:00
## Summary & Motivation Its currently possible to read arbitrary files with the `/logs` endpoint in `dagster-webserver`. The only restriction is that the filename must contain a "dot". For example, this cURL invocation allows me to read my `.bash_history` file when running `dagster-webserver` locally: ``` curl -vvv -X GET 'http://localhost:3333/logs/%2e%2e/%2e%2e/%2e%2e/%2e%2e//bash_history' ``` The proposed fix calls `os.path.abspath` [1] on paths constructed in`get_captured_local_path`. If the normalized path does not start with the logs dir, a `ValueError` is raised. [1] https://docs.python.org/3/library/os.path.html#os.path.abspath ## How I Tested These Changes See added unit tests
diff --git a/python_modules/dagster-webserver/dagster_webserver_tests/webserver/test_app.py b/python_modules/dagster-webserver/dagster_webserver_tests/webserver/test_app.py
@@ -289,3 +289,13 @@ def test_async(test_client: TestClient):
     result = response.json()
     assert result["data"]["test"]["one"] == "slept", result
     assert result["data"]["test"]["two"] == "slept concurrently", result
+
+
+def test_download_captured_logs_not_found(test_client: TestClient):
+    response = test_client.get("/logs/does-not-exist/stdout")
+    assert response.status_code == 404
+
+
+def test_download_captured_logs_invalid_path(test_client: TestClient):
+    with pytest.raises(ValueError, match="Invalid path"):
+        test_client.get("/logs/%2e%2e/secret/txt")
diff --git a/python_modules/dagster/dagster/_core/storage/local_compute_log_manager.py b/python_modules/dagster/dagster/_core/storage/local_compute_log_manager.py
@@ -226,7 +226,11 @@ def get_captured_local_path(self, log_key: Sequence[str], extension: str, partia
             filename = f"{filename}.partial"
         if len(filename) > MAX_FILENAME_LENGTH:
             filename = "{}.{}".format(hashlib.md5(filebase.encode("utf-8")).hexdigest(), extension)
-        return os.path.join(self._base_dir, *namespace, filename)
+        location = os.path.join(self._base_dir, *namespace, filename)
+        location = os.path.abspath(location)
+        if not location.startswith(self._base_dir):
+            raise ValueError("Invalid path")
+        return location
 
     def subscribe(
         self, log_key: Sequence[str], cursor: Optional[str] = None
