Merge pull request from GHSA-v7vq-3x77-87vg

Zsailer · web-flow · commit a161ffac6bff · 2022-06-07T09:06:40.000-07:00
add checks for hidden file or path on file get
diff --git a/notebook/services/contents/filemanager.py b/notebook/services/contents/filemanager.py
@@ -242,6 +242,12 @@ def _base_model(self, path):
         os_path = self._get_os_path(path)
         info = os.lstat(os_path)
 
+        four_o_four = "file or directory does not exist: %r" % path
+
+        if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
+            self.log.info("Refusing to serve hidden file or directory %r, via 404 Error", os_path)
+            raise web.HTTPError(404, four_o_four)
+
         try:
             # size of file
             size = info.st_size
@@ -363,6 +369,7 @@ def _file_model(self, path, content=True, format=None):
         model['type'] = 'file'
 
         os_path = self._get_os_path(path)
+
         model['mimetype'] = mimetypes.guess_type(os_path)[0]
 
         if content:
@@ -423,11 +430,17 @@ def get(self, path, content=True, type=None, format=None):
             of the file or directory as well.
         """
         path = path.strip('/')
+        os_path = self._get_os_path(path)
+        four_o_four = "file or directory does not exist: %r" % path
 
         if not self.exists(path):
-            raise web.HTTPError(404, f'No such file or directory: {path}')
+            raise web.HTTPError(404, four_o_four)
 
-        os_path = self._get_os_path(path)
+        if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
+            self.log.info("Refusing to serve hidden file or directory %r, via 404 Error", os_path)
+            raise web.HTTPError(404, four_o_four)
+
+        
         if os.path.isdir(os_path):
             if type not in (None, 'directory'):
                 raise web.HTTPError(400,
@@ -446,7 +459,7 @@ def get(self, path, content=True, type=None, format=None):
     def _save_directory(self, os_path, model, path=''):
         """create a directory"""
         if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
-            raise web.HTTPError(400, f'Cannot create hidden directory {os_path!r}')
+            raise web.HTTPError(400, f'Cannot create directory {os_path!r}')
         if not os.path.exists(os_path):
             with self.perm_to_403():
                 os.mkdir(os_path)
@@ -465,6 +478,10 @@ def save(self, model, path=''):
             raise web.HTTPError(400, 'No file content provided')
 
         os_path = self._get_os_path(path)
+
+        if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
+            raise web.HTTPError(400, f'Cannot create file or directory {os_path!r}')
+
         self.log.debug("Saving %s", os_path)
 
         self.run_pre_save_hook(model=model, path=path)
@@ -508,8 +525,14 @@ def delete_file(self, path):
         path = path.strip('/')
         os_path = self._get_os_path(path)
         rm = os.unlink
-        if not os.path.exists(os_path):
-            raise web.HTTPError(404, f'File or directory does not exist: {os_path}')
+        
+        four_o_four = "file or directory does not exist: %r" % path
+
+        if not self.exists(path):
+            raise web.HTTPError(404, four_o_four)
+
+        if is_hidden(os_path, self.root_dir) and not self.allow_hidden:
+            raise web.HTTPError(400, f'Cannot delete file or directory {os_path!r}')
 
         def is_non_empty_dir(os_path):
             if os.path.isdir(os_path):
@@ -552,6 +575,9 @@ def rename_file(self, old_path, new_path):
         if new_path == old_path:
             return
 
+        if (is_hidden(old_path, self.root_dir) or is_hidden(new_path, self.root_dir)) and not self.allow_hidden:
+            raise web.HTTPError(400, f'Cannot rename file or directory {os_path!r}')
+
         # Perform path validation prior to converting to os-specific value since this
         # is still relative to root_dir.
         self._validate_path(new_path)
diff --git a/notebook/services/contents/handlers.py b/notebook/services/contents/handlers.py
@@ -101,6 +101,7 @@ def get(self, path=''):
         of the files and directories it contains.
         """
         path = path or ''
+        cm = self.contents_manager
         type = self.get_query_argument('type', default=None)
         if type not in {None, 'directory', 'file', 'notebook'}:
             raise web.HTTPError(400, f'Type {type!r} is invalid')
@@ -112,7 +113,8 @@ def get(self, path=''):
         if content not in {'0', '1'}:
             raise web.HTTPError(400, f'Content {content!r} is invalid')
         content = int(content)
-
+        if cm.is_hidden(path) and not cm.allow_hidden:
+            raise web.HTTPError(404, f'file or directory {path!r} does not exist')
         model = yield maybe_future(self.contents_manager.get(
             path=path, type=type, format=format, content=content,
         ))
@@ -125,6 +127,9 @@ def patch(self, path=''):
         """PATCH renames a file or directory without re-uploading content."""
         cm = self.contents_manager
         model = self.get_json_body()
+        old_path = model.get('path')
+        if old_path and (cm.is_hidden(path) or cm.is_hidden(old_path))  and not cm.allow_hidden:
+            raise web.HTTPError(400, f'Cannot rename file or directory {path!r}')
         if model is None:
             raise web.HTTPError(400, 'JSON body missing')
         model = yield maybe_future(cm.update(model, path))
@@ -193,6 +198,9 @@ def post(self, path=''):
             raise web.HTTPError(404, f"No such directory: {path}")
 
         model = self.get_json_body()
+        copy_from = model.get('copy_from')
+        if copy_from and (cm.is_hidden(path) or cm.is_hidden(copy_from))  and not cm.allow_hidden:
+            raise web.HTTPError(400, f'Cannot copy file or directory {path!r}')
 
         if model is not None:
             copy_from = model.get('copy_from')
@@ -219,9 +227,12 @@ def put(self, path=''):
           create a new empty notebook.
         """
         model = self.get_json_body()
+        cm = self.contents_manager
         if model:
             if model.get('copy_from'):
                 raise web.HTTPError(400, "Cannot copy with PUT, only POST")
+            if model.get('path') and (cm.is_hidden(path) or cm.is_hidden(model.get('path')))  and not cm.allow_hidden:
+                raise web.HTTPError(400, f'Cannot create file or directory {path!r}')
             exists = yield maybe_future(self.contents_manager.file_exists(path))
             if exists:
                 yield maybe_future(self._save(model, path))
@@ -235,6 +246,10 @@ def put(self, path=''):
     def delete(self, path=''):
         """delete a file in the given path"""
         cm = self.contents_manager
+
+        if cm.is_hidden(path) and not cm.allow_hidden:
+            raise web.HTTPError(400, f'Cannot delete file or directory {path!r}')
+
         self.log.warning('delete %s', path)
         yield maybe_future(cm.delete(path))
         self.set_status(204)
diff --git a/notebook/services/contents/tests/test_contents_api.py b/notebook/services/contents/tests/test_contents_api.py
@@ -321,6 +321,16 @@ def test_get_contents_no_such_file(self):
         with assert_http_error(404):
             self.api.read('foo/q.ipynb')
 
+    def test_get_404_hidden(self):
+        if sys.platform == 'win32':
+            self.skipTest("Disabled copying hidden files on Windows")
+        self.make_txt('.hidden/visible.txt', 'test string')
+        self.make_txt('.hidden.txt', 'test string')
+        with assert_http_error(404):
+            resp = self.api.read('.hidden/visible.txt')
+        with assert_http_error(404):
+            resp = self.api.read('.hidden.txt')
+
     def test_get_text_file_contents(self):
         for d, name in self.dirs_nbs:
             path = url_path_join(d, name + '.txt')
@@ -443,6 +453,51 @@ def test_upload_txt(self):
         self.assertEqual(model['format'], 'text')
         self.assertEqual(model['content'], body)
 
+    def test_upload_txt_hidden(self):
+        if sys.platform == 'win32':
+            self.skipTest("Disabled copying hidden files on Windows")
+        with assert_http_error(400):
+            body = 'ünicode téxt'
+            model = {
+                'content' : body,
+                'format'  : 'text',
+                'type'    : 'file',
+            }
+            path = '.hidden/Upload tést.txt'
+            resp = self.api.upload(path, body=json.dumps(model))
+
+        with assert_http_error(400):
+            body = 'ünicode téxt'
+            model = {
+                'content' : body,
+                'format'  : 'text',
+                'type'    : 'file',
+                'path': '.hidden/test.txt'
+            }
+            path = 'Upload tést.txt'
+            resp = self.api.upload(path, body=json.dumps(model))
+
+        with assert_http_error(400):
+            body = 'ünicode téxt'
+            model = {
+                'content' : body,
+                'format'  : 'text',
+                'type'    : 'file',
+            }
+            path = '.hidden.txt'
+            resp = self.api.upload(path, body=json.dumps(model))
+
+        with assert_http_error(400):
+            body = 'ünicode téxt'
+            model = {
+                'content' : body,
+                'format'  : 'text',
+                'type'    : 'file',
+                'path': '.hidden.txt'
+            }
+            path = 'Upload tést.txt'
+            resp = self.api.upload(path, body=json.dumps(model))
+
     def test_upload_b64(self):
         body = b'\xFFblob'
         b64body = encodebytes(body).decode('ascii')
@@ -497,10 +552,37 @@ def test_copy_path(self):
         resp = self.api.copy('foo/a.ipynb', 'å b')
         self._check_created(resp, 'å b/a-Copy1.ipynb')
 
+    def test_copy_400_hidden(self):
+        if sys.platform == 'win32':
+            self.skipTest("Disabled copying hidden files on Windows")
+        self.make_txt('new.txt', 'test string')
+        self.make_txt('.hidden/new.txt', 'test string')
+        self.make_txt('.hidden.txt', 'test string')
+        with assert_http_error(400):
+            resp = self.api.copy('.hidden/old.txt', 'new.txt')
+        with assert_http_error(400):
+            resp = self.api.copy('old.txt', '.hidden/new.txt')
+        with assert_http_error(400):
+            resp = self.api.copy('.hidden.txt', 'new.txt')
+        with assert_http_error(400):
+            resp = self.api.copy('old.txt', '.hidden.txt')
+
     def test_copy_put_400(self):
         with assert_http_error(400):
             resp = self.api.copy_put('å b/ç d.ipynb', 'å b/cøpy.ipynb')
 
+    def test_copy_put_400_hidden(self):
+        if sys.platform == 'win32':
+            self.skipTest("Disabled copying hidden files on Windows")
+        with assert_http_error(400):
+            resp = self.api.copy_put('.hidden/old.txt', 'new.txt')
+        with assert_http_error(400):
+            resp = self.api.copy_put('old.txt', '.hidden/new.txt')
+        with assert_http_error(400):
+            resp = self.api.copy_put('.hidden.txt', 'new.txt')
+        with assert_http_error(400):
+            resp = self.api.copy_put('old.txt', '.hidden.txt')
+
     def test_copy_dir_400(self):
         # can't copy directories
         with assert_http_error(400):
@@ -543,6 +625,29 @@ def test_delete_non_empty_dir(self):
         with assert_http_error(404):
             self.api.list('å b')
 
+    def test_delete_hidden_dir(self):
+        if sys.platform == 'win32':
+            self.skipTest("Disabled deleting hidden dirs on Windows")
+        with assert_http_error(400):
+            # Test that non empty directory can be deleted
+            try:
+                self.api.delete('.hidden')
+            except requests.HTTPError as e:
+                assert e.response.status_code == 400
+                raise e
+
+    def test_delete_hidden_file(self):
+        #Test deleting file in a hidden directory
+        if sys.platform == 'win32':
+            self.skipTest("Disabled deleting hidden dirs on Windows")
+        with assert_http_error(400):
+            # Test that non empty directory can be deleted
+            self.api.delete('.hidden/test.txt')
+
+        #Test deleting a hidden file
+        with assert_http_error(400):
+            self.api.delete('.hidden.txt')
+
     def test_rename(self):
         resp = self.api.rename('foo/a.ipynb', 'foo/z.ipynb')
         self.assertEqual(resp.headers['Location'].split('/')[-1], 'z.ipynb')
@@ -555,6 +660,21 @@ def test_rename(self):
         self.assertIn('z.ipynb', nbnames)
         self.assertNotIn('a.ipynb', nbnames)
 
+    def test_rename_400_hidden(self):
+        if sys.platform == 'win32':
+            self.skipTest("Disabled copying hidden files on Windows")
+        # self.make_txt('new.txt', 'test string')
+        # self.make_txt('.hidden/new.txt', 'test string')
+        # self.make_txt('.hidden.txt', 'test string')
+        with assert_http_error(400):
+            resp = self.api.rename('.hidden/old.txt', 'new.txt')
+        with assert_http_error(400):
+            resp = self.api.rename('old.txt', '.hidden/new.txt')
+        with assert_http_error(400):
+            resp = self.api.rename('.hidden.txt', 'new.txt')
+        with assert_http_error(400):
+            resp = self.api.rename('old.txt', '.hidden.txt')
+
     def test_checkpoints_follow_file(self):
 
         # Read initial file state
diff --git a/notebook/services/contents/tests/test_manager.py b/notebook/services/contents/tests/test_manager.py
