Merge commit from fork

Signed-off-by: Frost Ming <me@frostming.com>

Author: frostming

src/_bentoml_sdk/images.py

@@ -20,6 +20,8 @@
 from bentoml._internal.container import split_envs_by_stage
 from bentoml._internal.container.frontend.dockerfile import CONTAINER_METADATA
 from bentoml._internal.container.frontend.dockerfile import CONTAINER_SUPPORTED_DISTROS
+from bentoml._internal.utils.filesystem import chdir
+from bentoml._internal.utils.filesystem import resolve_user_filepath
 from bentoml.exceptions import BentoMLConfigException
 from bentoml.exceptions import BentoMLException
 
@@ -97,6 +99,7 @@ def requirements_file(self, file_path: str) -> t.Self:
         """
         if self.post_commands:
             raise BentoMLConfigException("Can't separate adding python requirements")
+        file_path = resolve_user_filepath(file_path, None)
         self.python_requirements += Path(file_path).read_text().rstrip("\n") + "\n"
         self._after_pip_install = True
         return self
@@ -112,6 +115,7 @@ def pyproject_toml(self, file_path: str = "pyproject.toml") -> t.Self:
         """
         if self.post_commands:
             raise BentoMLConfigException("Can't separate adding python requirements")
+        file_path = resolve_user_filepath(file_path, None)
         with Path(file_path).open("rb") as f:
             pyproject_toml = tomllib.load(f)
         dependencies = pyproject_toml.get("project", {}).get("dependencies", {})
@@ -164,7 +168,7 @@ def run_script(self, script: str) -> t.Self:
             image = Image("debian:latest").run_script("script.sh")
         """
         commands = self.post_commands if self._after_pip_install else self.commands
-        script = Path(script).resolve().as_posix()
+        script = resolve_user_filepath(script, None)
         # Files under /env/docker will be copied into the env image layer
         target_script = (
             f"./env/docker/script__{hashlib.md5(script.encode()).hexdigest()}"
@@ -327,8 +331,6 @@ def _freeze_python_requirements(
 def populate_image_from_build_config(
     image: Image | None, build_config: BentoBuildConfig, build_ctx: str
 ) -> Image | None:
-    from bentoml._internal.utils.filesystem import resolve_user_filepath
-
     fallback_message = "fallback to bento v1" if image is None else "it will be ignored"
     if not build_config.conda.is_empty():
         logger.warning(
@@ -392,12 +394,12 @@ def populate_image_from_build_config(
         image.python_packages(
             *(f"--find-links {link}" for link in python_options.find_links)
         )
-    if python_options.requirements_txt:
-        image.requirements_file(
-            resolve_user_filepath(python_options.requirements_txt, build_ctx)
-        )
-    elif python_options.packages:
-        image.python_packages(*python_options.packages)
-    if docker_options.setup_script:
-        image.run_script(docker_options.setup_script)
+
+    with chdir(build_ctx):
+        if python_options.requirements_txt:
+            image.requirements_file(python_options.requirements_txt)
+        elif python_options.packages:
+            image.python_packages(*python_options.packages)
+        if docker_options.setup_script:
+            image.run_script(docker_options.setup_script)
     return image

src/bentoml/_internal/bento/bento.py

@@ -35,6 +35,7 @@
 from ..types import PathType
 from ..utils import normalize_labels_value
 from ..utils.cattr import bentoml_cattr
+from ..utils.filesystem import resolve_user_filepath
 from ..utils.filesystem import safe_remove_dir
 from .build_config import BentoBuildConfig
 from .build_config import BentoEnvSchema
@@ -349,9 +350,13 @@ def append_model(model: BentoModelInfo) -> None:
                 build_config.description is not None
                 and build_config.description.startswith("file:")
             ):
-                file_name = build_config.description[5:].strip()
-                if not ctx_path.joinpath(file_name).exists():
-                    raise InvalidArgument(f"File {file_name} does not exist.")
+                try:
+                    file_name = resolve_user_filepath(
+                        build_config.description[5:].strip(), str(ctx_path)
+                    )
+                except (FileNotFoundError, ValueError) as e:
+                    raise InvalidArgument(str(e)) from None
+
                 shutil.copy(ctx_path.joinpath(file_name), bento_readme)
             elif (
                 build_config.description is None

src/bentoml/_internal/cloud/deployment.py

@@ -95,7 +95,9 @@ def verify(
         if self.config_dict:
             self.cfg_dict = self.config_dict
         elif isinstance(self.config_file, str):
-            real_path = resolve_user_filepath(self.config_file, self.path_context)
+            real_path = resolve_user_filepath(
+                self.config_file, self.path_context, secure=False
+            )
             try:
                 with open(real_path, "r") as file:
                     self.cfg_dict = yaml.safe_load(file)
@@ -313,7 +315,7 @@ def get_args_from_config(
         cluster = config_dict["cluster"]
 
     if isinstance(config_file, str):
-        real_path = resolve_user_filepath(config_file, path_context)
+        real_path = resolve_user_filepath(config_file, path_context, secure=False)
         try:
             with open(real_path, "r") as file:
                 file_dict = yaml.safe_load(file)

src/bentoml/_internal/container/base.py

@@ -14,7 +14,6 @@
 import attr
 
 from ...exceptions import BentoMLException
-from ..utils.filesystem import resolve_user_filepath
 
 if TYPE_CHECKING:
     from typing_extensions import Self
@@ -56,7 +55,7 @@ def _(self, args: ArgType, opt: str = ""):
     def _(self, args: PathType, opt: str = ""):
         if args is not None:
             if os.path.exists(str(args)):
-                args = resolve_user_filepath(str(args), ctx=None)
+                args = os.path.abspath(str(args))
             self.extend((f"--{opt}", str(args)))
 
     @construct_args.register(type(None))

src/bentoml/_internal/io_descriptors/file.py

@@ -162,7 +162,7 @@ async def predict(input: t.IO[t.Any]) -> t.IO[t.Any]:
         if isinstance(sample, t.IO):
             sample = FileLike[bytes](sample, "<sample>")
         elif isinstance(sample, (str, os.PathLike)):
-            p = resolve_user_filepath(sample, ctx=None)
+            p = resolve_user_filepath(sample, ctx=None, secure=False)
             mime = mimetypes.guess_type(p)[0]
             self._mime_type = mime
             with open(p, "rb") as f:

src/bentoml/_internal/io_descriptors/image.py

@@ -250,7 +250,7 @@ async def predict(input: t.IO[t.Any]) -> t.IO[t.Any]:
         if LazyType["ext.NpNDArray"]("numpy.ndarray").isinstance(sample):
             sample = PIL.Image.fromarray(sample)
         elif isinstance(sample, str):
-            p = resolve_user_filepath(sample, ctx=None)
+            p = resolve_user_filepath(sample, ctx=None, secure=False)
             try:
                 with open(p, "rb") as f:
                     sample = PIL.Image.open(f)

src/bentoml/_internal/utils/filesystem.py

@@ -111,26 +111,51 @@ def validate_or_create_dir(*path: PathType) -> None:
             path_obj.mkdir(parents=True, exist_ok=True)
 
 
-def resolve_user_filepath(filepath: str, ctx: t.Optional[str]) -> str:
+def resolve_user_filepath(
+    filepath: str, ctx: t.Optional[str], secure: bool = True
+) -> str:
     """Resolve the abspath of a filepath provided by user. User provided file path can:
     * be a relative path base on ctx dir
     * contain leading "~" for HOME directory
     * contain environment variables such as "$HOME/workspace"
     """
     # Return if filepath exist after expanduser
 
-    _path = os.path.expanduser(os.path.expandvars(filepath))
+    _path = Path(os.path.expanduser(os.path.expandvars(filepath)))
 
     # Try finding file in ctx if provided
-    if not os.path.isabs(_path) and ctx:
-        _path = os.path.expanduser(os.path.join(ctx, filepath))
-
-    if os.path.exists(_path):
-        return os.path.realpath(_path)
-
-    raise FileNotFoundError(f"file {filepath} not found")
+    if not _path.is_absolute():
+        ctx = os.path.expanduser(ctx) if ctx else os.getcwd()
+        _path = Path(ctx).joinpath(_path)
+    elif secure:
+        raise ValueError(f"Absolute path {filepath} is not allowed")
+    _path = _path.resolve()
+    if not _path.exists():
+        raise FileNotFoundError(f"file {filepath} not found")
+    if secure:
+        cwd = Path().resolve()
+        if not _path.is_relative_to(cwd):
+            raise ValueError(
+                f"Accessing file outside of current working directory is not allowed: {_path}"
+            )
+        if any(part.startswith(".") for part in _path.parts):
+            raise ValueError(f"Accessing hidden files is not allowed: {_path}")
+        if any(_path.is_relative_to(item) for item in ("/etc", "/proc")):
+            raise ValueError(f"Accessing system files is not allowed: {_path}")
+    return str(_path)
 
 
 def safe_remove_dir(path: PathType) -> None:
     with contextlib.suppress(OSError):
         shutil.rmtree(path, ignore_errors=True)
+
+
+@contextlib.contextmanager
+def chdir(new_dir: PathType) -> t.Generator[None, None, None]:
+    """Context manager for changing the current working directory. This is not thread-safe."""
+    prev_dir = os.getcwd()
+    os.chdir(new_dir)
+    try:
+        yield
+    finally:
+        os.chdir(prev_dir)

src/bentoml/bentos.py

@@ -413,7 +413,7 @@ def build_bentofile(
         set_arguments(args)
     if bentofile:
         try:
-            bentofile = resolve_user_filepath(bentofile, None)
+            bentofile = resolve_user_filepath(bentofile, None, secure=False)
         except FileNotFoundError:
             raise InvalidArgument(f'bentofile "{bentofile}" not found')
         else:

src/bentoml_cli/models.py

@@ -301,7 +301,7 @@ def pull(
 
     if bentofile:
         try:
-            bentofile = resolve_user_filepath(bentofile, None)
+            bentofile = resolve_user_filepath(bentofile, None, secure=False)
         except FileNotFoundError:
             raise InvalidArgument(f'file "{bentofile}" not found')
         else:

src/bentoml_cli/secret.py

@@ -103,7 +103,7 @@ def parse_kvs_argument_callback(
         if not key or not val:
             raise click.BadParameter(f"Invalid key-value pair: {key_val}")
         if val.startswith("@"):
-            filename = resolve_user_filepath(val[1:], ctx=None)
+            filename = resolve_user_filepath(val[1:], ctx=None, secure=False)
             if not os.path.exists(filename) or not os.path.isfile(filename):
                 raise click.BadParameter(f"Invalid file path: {filename}")
             # read the file content
@@ -123,7 +123,7 @@ def read_dotenv_callback(
     env_map: dict[str, str] = {}
 
     for path in value:
-        path = resolve_user_filepath(path, ctx=None)
+        path = resolve_user_filepath(path, ctx=None, secure=False)
         if not os.path.exists(path) or not os.path.isfile(path):
             raise click.BadParameter(f"Invalid file path: {path}")
         with open(path, "r") as f: