@@ -392,6 +392,22 @@ def cli(self):
392392 `--trame-args="-p 8081 --server"`. Alternatively, the environment variable
393393 `TRAME_ARGS` may be set instead.""" ,
394394 )
395+ self ._cli_parser .add_argument (
396+ "--follow-symlinks" ,
397+ dest = "static_follow_symlinks" ,
398+ help = """flag for allowing to follow symlinks that lead outside
399+ the static root directory, by default it's not allowed
400+ and HTTP/404 will be returned on access.
401+ Enabling follow_symlinks can be a security risk,
402+ and may lead to a directory transversal attack.
403+ You do NOT need this option to follow symlinks which point
404+ to somewhere else within the static directory, this option
405+ is only used to break out of the security sandbox.
406+ Enabling this option is highly discouraged, and only
407+ expected to be used for edge cases in a local development
408+ setting where remote users do not have access to the server.""" ,
409+ action = "store_true" ,
410+ )
395411
396412 CoreServer .add_arguments (self ._cli_parser )
397413
@@ -540,6 +556,7 @@ def start(
540556 show_connection_info : bool = True ,
541557 disable_logging : bool = False ,
542558 backend : BackendType | None = None ,
559+ follow_symlinks : bool | None = None ,
543560 exec_mode : ExecModeType = "main" ,
544561 timeout : int | None = None ,
545562 host : str | None = None ,
@@ -615,6 +632,9 @@ def start(
615632 if backend is None :
616633 backend = os .environ .get ("TRAME_BACKEND" , "aiohttp" )
617634
635+ if follow_symlinks is not None :
636+ options .static_follow_symlinks = follow_symlinks
637+
618638 if open_browser is None :
619639 open_browser = not os .environ .get ("TRAME_SERVER" , False )
620640
0 commit comments