Merge pull request ClickHouse#76214 from ClickHouse/backport/24.3/75954

Author: rschu1ze

programs/library-bridge/LibraryBridge.cpp

@@ -25,7 +25,7 @@ std::string LibraryBridge::bridgeName() const
 
 LibraryBridge::HandlerFactoryPtr LibraryBridge::getHandlerFactoryPtr(ContextPtr context) const
 {
-    return std::make_shared<LibraryBridgeHandlerFactory>("LibraryRequestHandlerFactory", keep_alive_timeout, context);
+    return std::make_shared<LibraryBridgeHandlerFactory>("LibraryRequestHandlerFactory", keep_alive_timeout, context, libraries_paths);
 }
 
 }

programs/library-bridge/LibraryBridgeHandlerFactory.cpp

@@ -10,11 +10,13 @@ namespace DB
 LibraryBridgeHandlerFactory::LibraryBridgeHandlerFactory(
     const std::string & name_,
     size_t keep_alive_timeout_,
-    ContextPtr context_)
+    ContextPtr context_,
+    std::vector<std::string> libraries_paths_)
     : WithContext(context_)
     , log(getLogger(name_))
     , name(name_)
     , keep_alive_timeout(keep_alive_timeout_)
+    , libraries_paths(std::move(libraries_paths_))
 {
 }
 
@@ -34,9 +36,9 @@ std::unique_ptr<HTTPRequestHandler> LibraryBridgeHandlerFactory::createRequestHa
     if (request.getMethod() == Poco::Net::HTTPRequest::HTTP_POST)
     {
         if (uri.getPath() == "/extdict_request")
-            return std::make_unique<ExternalDictionaryLibraryBridgeRequestHandler>(keep_alive_timeout, getContext());
+            return std::make_unique<ExternalDictionaryLibraryBridgeRequestHandler>(keep_alive_timeout, getContext(), libraries_paths);
         else if (uri.getPath() == "/catboost_request")
-            return std::make_unique<CatBoostLibraryBridgeRequestHandler>(keep_alive_timeout, getContext());
+            return std::make_unique<CatBoostLibraryBridgeRequestHandler>(keep_alive_timeout, getContext(), libraries_paths);
     }
 
     return nullptr;

programs/library-bridge/LibraryBridgeHandlerFactory.h

@@ -14,14 +14,16 @@ class LibraryBridgeHandlerFactory : public HTTPRequestHandlerFactory, WithContex
     LibraryBridgeHandlerFactory(
         const std::string & name_,
         size_t keep_alive_timeout_,
-        ContextPtr context_);
+        ContextPtr context_,
+        std::vector<std::string> libraries_paths_);
 
     std::unique_ptr<HTTPRequestHandler> createRequestHandler(const HTTPServerRequest & request) override;
 
 private:
     LoggerPtr log;
     const std::string name;
     const size_t keep_alive_timeout;
+    const std::vector<std::string> libraries_paths;
 };
 
 }

programs/library-bridge/LibraryBridgeHandlers.cpp

@@ -2,13 +2,13 @@
 
 #include "CatBoostLibraryHandlerFactory.h"
 #include "Common/ProfileEvents.h"
-#include "ExternalDictionaryLibraryHandler.h"
 #include "ExternalDictionaryLibraryHandlerFactory.h"
 
 #include <Formats/FormatFactory.h>
 #include <IO/ReadBufferFromString.h>
 #include <IO/ReadHelpers.h>
 #include <Common/BridgeProtocolVersion.h>
+#include <Common/filesystemHelpers.h>
 #include <IO/WriteHelpers.h>
 #include <Poco/Net/HTTPServerRequest.h>
 #include <Poco/Net/HTTPServerResponse.h>
@@ -24,7 +24,8 @@
 #include <Formats/NativeReader.h>
 #include <Formats/NativeWriter.h>
 #include <DataTypes/DataTypesNumber.h>
-#include <DataTypes/DataTypeString.h>
+#include <filesystem>
+#include <boost/algorithm/string/join.hpp>
 
 
 namespace DB
@@ -86,14 +87,26 @@ static void writeData(Block data, OutputFormatPtr format)
 }
 
 
-ExternalDictionaryLibraryBridgeRequestHandler::ExternalDictionaryLibraryBridgeRequestHandler(size_t keep_alive_timeout_, ContextPtr context_)
+ExternalDictionaryLibraryBridgeRequestHandler::ExternalDictionaryLibraryBridgeRequestHandler(size_t keep_alive_timeout_, ContextPtr context_, std::vector<std::string> libraries_paths_)
     : WithContext(context_)
     , keep_alive_timeout(keep_alive_timeout_)
     , log(getLogger("ExternalDictionaryLibraryBridgeRequestHandler"))
+    , libraries_paths(std::move(libraries_paths_))
 {
 }
 
 
+static bool checkLibraryPath(const std::string & path, const std::vector<std::string> & allowed_prefixes, HTTPServerResponse & response)
+{
+    for (const auto & prefix : allowed_prefixes)
+        if (fileOrSymlinkPathStartsWith(path, prefix))
+            return true;
+    processError(response, fmt::format("The provided library path {} is not inside any of the allowed prefixes {} ('libraries-path') from the configuration.",
+        path, boost::join(allowed_prefixes, ", ")));
+    return false;
+}
+
+
 void ExternalDictionaryLibraryBridgeRequestHandler::handleRequest(HTTPServerRequest & request, HTTPServerResponse & response, const ProfileEvents::Event & /*write_event*/)
 {
     LOG_TRACE(log, "Request URI: {}", request.getURI());
@@ -172,12 +185,15 @@ void ExternalDictionaryLibraryBridgeRequestHandler::handleRequest(HTTPServerRequ
 
             if (!params.has("library_path"))
             {
-                processError(response, "No 'library_path' in request URL");
+                processError(response, "No 'library_path' in the request URL");
                 return;
             }
 
             const String & library_path = params.get("library_path");
 
+            if (!checkLibraryPath(library_path, libraries_paths, response))
+                return;
+
             if (!params.has("library_settings"))
             {
                 processError(response, "No 'library_settings' in request URL");
@@ -413,10 +429,11 @@ void ExternalDictionaryLibraryBridgeExistsHandler::handleRequest(HTTPServerReque
 
 
 CatBoostLibraryBridgeRequestHandler::CatBoostLibraryBridgeRequestHandler(
-    size_t keep_alive_timeout_, ContextPtr context_)
+    size_t keep_alive_timeout_, ContextPtr context_, std::vector<std::string> libraries_paths_)
     : WithContext(context_)
     , keep_alive_timeout(keep_alive_timeout_)
     , log(getLogger("CatBoostLibraryBridgeRequestHandler"))
+    , libraries_paths(std::move(libraries_paths_))
 {
 }
 
@@ -522,6 +539,9 @@ void CatBoostLibraryBridgeRequestHandler::handleRequest(HTTPServerRequest & requ
 
             const String & library_path = params.get("library_path");
 
+            if (!checkLibraryPath(library_path, libraries_paths, response))
+                return;
+
             if (!params.has("model_path"))
             {
                 processError(response, "No 'model_path' in request URL");

programs/library-bridge/LibraryBridgeHandlers.h

@@ -18,7 +18,7 @@ namespace DB
 class ExternalDictionaryLibraryBridgeRequestHandler : public HTTPRequestHandler, WithContext
 {
 public:
-    ExternalDictionaryLibraryBridgeRequestHandler(size_t keep_alive_timeout_, ContextPtr context_);
+    ExternalDictionaryLibraryBridgeRequestHandler(size_t keep_alive_timeout_, ContextPtr context_, std::vector<std::string> libraries_paths_);
 
     void handleRequest(HTTPServerRequest & request, HTTPServerResponse & response, const ProfileEvents::Event & write_event) override;
 
@@ -27,6 +27,7 @@ class ExternalDictionaryLibraryBridgeRequestHandler : public HTTPRequestHandler,
 
     const size_t keep_alive_timeout;
     LoggerPtr log;
+    std::vector<std::string> libraries_paths;
 };
 
 
@@ -63,13 +64,14 @@ class ExternalDictionaryLibraryBridgeExistsHandler : public HTTPRequestHandler,
 class CatBoostLibraryBridgeRequestHandler : public HTTPRequestHandler, WithContext
 {
 public:
-    CatBoostLibraryBridgeRequestHandler(size_t keep_alive_timeout_, ContextPtr context_);
+    CatBoostLibraryBridgeRequestHandler(size_t keep_alive_timeout_, ContextPtr context_, std::vector<std::string> libraries_paths_);
 
     void handleRequest(HTTPServerRequest & request, HTTPServerResponse & response, const ProfileEvents::Event & write_event) override;
 
 private:
     const size_t keep_alive_timeout;
     LoggerPtr log;
+    std::vector<std::string> libraries_paths;
 };
 
 

programs/server/Server.cpp

@@ -1157,13 +1157,11 @@ try
     {
         std::string dictionaries_lib_path = config().getString("dictionaries_lib_path", path / "dictionaries_lib/");
         global_context->setDictionariesLibPath(dictionaries_lib_path);
-        fs::create_directories(dictionaries_lib_path);
     }
 
     {
         std::string user_scripts_path = config().getString("user_scripts_path", path / "user_scripts/");
         global_context->setUserScriptsPath(user_scripts_path);
-        fs::create_directories(user_scripts_path);
     }
 
     /// top_level_domains_lists

src/Bridge/IBridge.cpp

@@ -17,11 +17,16 @@
 #include <base/range.h>
 #include <base/scope_guard.h>
 
-#include <sys/time.h>
+#include <iostream>
+#include <thread>
+#include <filesystem>
 #include <sys/resource.h>
+#include <sys/time.h>
+#include <boost/algorithm/string.hpp>
 
 #include "config.h"
 
+
 namespace DB
 {
 
@@ -113,6 +118,9 @@ void IBridge::defineOptions(Poco::Util::OptionSet & options)
     options.addOption(
         Poco::Util::Option("stderr-path", "", "stderr log path, default console").argument("stderr-path").binding("logger.stderr"));
 
+    options.addOption(
+        Poco::Util::Option("libraries-path", "", "A colon-separated (:) lists of paths from where we allow to load libraries. Subdirectories are also included. To prevent security risks, ensure this path is strictly read-only and not writable by user-controlled applications.").argument("libraries-path").binding("libraries-path"));
+
     using Me = std::decay_t<decltype(*this)>;
 
     options.addOption(
@@ -168,6 +176,10 @@ void IBridge::initialize(Application & self)
     keep_alive_timeout = config().getUInt64("keep-alive-timeout", DEFAULT_HTTP_KEEP_ALIVE_TIMEOUT);
     http_max_field_value_size = config().getUInt64("http-max-field-value-size", 128 * 1024);
 
+    boost::split(libraries_paths, config().getString("libraries-path", "/usr/lib/"), [](char c){ return c == ':'; });
+    for (auto & path : libraries_paths)
+        path = std::filesystem::canonical(path);
+
     struct rlimit limit;
     const UInt64 gb = 1024 * 1024 * 1024;
 

src/Bridge/IBridge.h

@@ -35,6 +35,7 @@ class IBridge : public BaseDaemon
     virtual HandlerFactoryPtr getHandlerFactoryPtr(ContextPtr context) const = 0;
 
     size_t keep_alive_timeout;
+    std::vector<std::string> libraries_paths;
 
 private:
     void handleHelp(const std::string &, const std::string &);

src/BridgeHelper/IBridgeHelper.cpp

@@ -14,6 +14,7 @@ namespace DB
 namespace ErrorCodes
 {
     extern const int EXTERNAL_SERVER_IS_NOT_RESPONDING;
+    extern const int BAD_ARGUMENTS;
 }
 
 
@@ -95,6 +96,27 @@ std::unique_ptr<ShellCommand> IBridgeHelper::startBridgeCommand()
         cmd_args.push_back(config.getString("logger." + configPrefix() + "_level"));
     }
 
+    std::string allowed_paths;
+    for (const auto * allowed_path_config : {"dictionaries_lib_path", "catboost_lib_path"})
+    {
+        if (config.has(allowed_path_config))
+        {
+            std::string allowed_path = config.getString(allowed_path_config);
+            if (allowed_path.contains(':'))
+                throw Exception(ErrorCodes::BAD_ARGUMENTS, "`{}` cannot contain the colon (:) symbol: {}", allowed_path_config, allowed_path);
+
+            if (!allowed_paths.empty())
+                allowed_paths += ":";
+            allowed_paths += allowed_path;
+        }
+    }
+
+    if (!allowed_paths.empty())
+    {
+        cmd_args.push_back("--libraries-path");
+        cmd_args.push_back(allowed_paths);
+    }
+
     LOG_TRACE(getLog(), "Starting {}", serviceAlias());
 
     /// We will terminate it with the KILL signal instead of the TERM signal,

src/Planner/ActionsChain.cpp

@@ -4,9 +4,8 @@
 #include <boost/algorithm/string/join.hpp>
 
 #include <IO/WriteBuffer.h>
-#include <IO/WriteHelpers.h>
 #include <IO/Operators.h>
-#include <IO/WriteBufferFromString.h>
+
 
 namespace DB
 {