Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent file traversals #6833

Merged
merged 5 commits into from
Dec 18, 2023
Merged

Prevent file traversals #6833

merged 5 commits into from
Dec 18, 2023

Conversation

abidlabs
Copy link
Member

@abidlabs abidlabs commented Dec 18, 2023
edited

@gradio-pr-bot
Copy link
Collaborator

gradio-pr-bot commented Dec 18, 2023
edited

🪼 branch checks and previews

Name Status URL
Spaces ready! Spaces preview
Website ready! Website preview
🦄 Changes detected! Details

Install Gradio from this PR

pip install https://gradio-builds.s3.amazonaws.com/6df1e846352c26135ee970ec7d6bc772ea8b33d3/gradio-4.10.0-py3-none-any.whl

Install Gradio Python Client from this PR

pip install "gradio-client @ git+https://github.com/gradio-app/gradio@6df1e846352c26135ee970ec7d6bc772ea8b33d3#subdirectory=client/python"

@gradio-pr-bot
Copy link
Collaborator

gradio-pr-bot commented Dec 18, 2023
edited

🦄 change detected

This Pull Request includes changes to the following packages.

Package Version
gradio minor
  • Maintainers can select this checkbox to manually select packages to update.

With the following changelog entry.

Prevent file traversals

Maintainers or the PR author can modify the PR title to modify this entry.

Something isn't right?
  • Maintainers can change the version label to modify the version bump.
  • If the bot has failed to detect any changes, or if this pull request needs to update multiple packages to different versions or requires a more comprehensive changelog entry, maintainers can update the changelog file directly.

freddyaboulton
freddyaboulton approved these changes Dec 18, 2023
View reviewed changes
Copy link
Collaborator

@freddyaboulton freddyaboulton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @abidlabs !

freddyaboulton
freddyaboulton reviewed Dec 18, 2023
View reviewed changes
Copy link
Collaborator

@freddyaboulton freddyaboulton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice to write a unit test for this!

@abidlabs abidlabs marked this pull request as ready for review December 18, 2023 21:46
@abidlabs
Copy link
Member Author

I tried to write a unit test but for some reason I can't reproduce this behavior with fastapi's test client. Only curl seems to have this effect (and only if you pass in --path-as-is flag)

@abidlabs
Copy link
Member Author

Apparently due to this PR urllib3/urllib3#1487. Let me see if I can write a unit test a different way

@abidlabs
Copy link
Member Author

Ok added a quick unit test. Thanks for the review @freddyaboulton! Will merge after CI is green

@abidlabs abidlabs merged commit 1b9d423 into main Dec 18, 2023
15 checks passed
@abidlabs abidlabs deleted the prevent-file-traversal branch December 18, 2023 22:30
@pngwn pngwn mentioned this pull request Dec 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@freddyaboulton freddyaboulton freddyaboulton approved these changes

@aliabid94 aliabid94 Awaiting requested review from aliabid94

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SECURITY issue - contact requested
3 participants
@abidlabs @gradio-pr-bot @freddyaboulton