Project

Profile

Help

Issue #8099

File upload causes django.security.SuspiciousFileOperation:ERROR

Added by iballou 4 months ago. Updated 3 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 88
Quarter:

Description

Versions:

pulpcore 3.9.0

pulp-file 1.5.0

When trying to upload a file via /pulp/api/v3/uploads, a 400 is thrown with the error in the title.

Traceback:

Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.security.SuspiciousFileOperation:ERROR: The joined path (/var/lib/pulp/upload/867d321b-de81-4f0f-bad9-713f9e92dd5f) is located outside of the base path component (/var/lib/pulp/media)
Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.request:WARNING: Bad Request: /pulp/api/v3/uploads/ef9b403f-c0fe-49e7-b2df-c4199f534ef2/

Associated revisions

Revision a8053124 View on GitHub
Added by dkliban@redhat.com 4 months ago

Make CHUNKED_UPLOAD_DIR a relative path

In 1b6c736 uploads were changed to use the default storage (uses settings.MEDIA_ROOT). Anything that's written outside of storage location raises a SuspiciousOperation. That already made the implicit requirement that CHUNKED_UPLOAD_DIR was relative.

Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.

If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.

fixes: #8099 https://pulp.plan.io/issues/8099

Revision 9f6e1b12 View on GitHub
Added by dkliban@redhat.com 4 months ago

Make CHUNKED_UPLOAD_DIR a relative path

In 1b6c736 uploads were changed to use the default storage (uses settings.MEDIA_ROOT). Anything that's written outside of storage location raises a SuspiciousOperation. That already made the implicit requirement that CHUNKED_UPLOAD_DIR was relative.

Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.

If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.

fixes: #8099 https://pulp.plan.io/issues/8099

History

#1 Updated by iballou 4 months ago

Seems to be an issue with uploading RPMs too.

#2 Updated by fao89 4 months ago

  • Triaged changed from No to Yes

#3 Updated by jsherril@redhat.com 4 months ago

  • Priority changed from Normal to High

#4 Updated by dkliban@redhat.com 4 months ago

I believe this is due to the settings that were set by the installer. Pulpcore 3.10.0 is going to handle this much better, but we will not be able to fix it in 3.9.z.

[0] https://github.com/pulp/pulpcore/pull/799/

#5 Updated by ekohl 4 months ago

The problem is that chunked upload is required to be within the media root. If you configure settings.CHUNKED_UPLOAD_DIR outside of that, it's deemed insecure since it could be trying to write to a insecure location.

In https://github.com/pulp/pulpcore/pull/799 I've chosen to configure it as a separate storage (https://github.com/pulp/pulpcore/pull/799/files#diff-3b7393fd8979f6a11ff65fe14ec74103a030415a943ce38a6eac7de85a2d92fdR11) and then use that in the upload form (https://github.com/pulp/pulpcore/pull/799/files#diff-03bb26bef2f063c5e13c435d8c58f624a9649bad78b53df8cc2463204238f674R62). That makes Django think that it's safe (which it is).

#6 Updated by dkliban@redhat.com 4 months ago

  • Sprint set to Sprint 88

#7 Updated by dkliban@redhat.com 4 months ago

  • Assignee set to ekohl

#8 Updated by pulpbot 4 months ago

  • Status changed from NEW to POST

#10 Updated by dkliban@redhat.com 4 months ago

  • Status changed from POST to MODIFIED

#12 Updated by dkliban@redhat.com 4 months ago

  • Sprint/Milestone set to 3.9.1

#13 Updated by ttereshc 3 months ago

  • Sprint/Milestone changed from 3.9.1 to 3.10.0

#14 Updated by ttereshc 3 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
  • Sprint/Milestone changed from 3.10.0 to 3.9.1

Please register to edit this issue

Also available in: Atom PDF