texera icon indicating copy to clipboard operation
texera copied to clipboard

Published 20 hours ago verified publisher icon Texera

File path validation

Open Yicong-Huang opened this issue 4 years ago • 6 comments

The current File Source operator can access any path that user specifies. This has potential security issue. We should do validation on the path of user input, restrict a user to only access files/paths belong to him/her.

Created from JetBrains using CodeStream

Yicong-Huang avatar Feb 19 '21 18:02 Yicong-Huang

Discussion 01/13/2021: @Yicong-Huang will fix it some time. Could be assigned to ugrad.

Yicong-Huang avatar Jan 13 '22 21:01 Yicong-Huang

~Appears to have been solved by #1251~

Edit: logged in users can only access files through UserFileUtils, which has a permissions mechanism. sessions without a userID can still choose any path?

MysteriousChallenger avatar Mar 04 '22 02:03 MysteriousChallenger

Discussion 2022.05.12: We leave this open.

Xiao-zhen-Liu avatar May 12 '22 20:05 Xiao-zhen-Liu

Discussion 2022.12.07: To be confirmed and closed by @Yicong-Huang and @zuozhiw.

Xiao-zhen-Liu avatar Dec 08 '22 00:12 Xiao-zhen-Liu

With the change of #1688, users can now input file paths manually on the UI. So the security issue remains valid.

Yicong-Huang avatar Apr 17 '23 17:04 Yicong-Huang

containers will solve this issue.

shengquan-ni avatar Dec 19 '23 18:12 shengquan-ni