Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relax Path Safety on Parse #5019

Closed
tustvold opened this issue Nov 1, 2023 · 3 comments · Fixed by #5020
Closed

Relax Path Safety on Parse #5019

tustvold opened this issue Nov 1, 2023 · 3 comments · Fixed by #5020
Labels
enhancement Any new improvement worthy of a entry in the changelog object-store Object Store Interface

Comments

@tustvold
Copy link
Contributor

tustvold commented Nov 1, 2023

Is your feature request related to a problem or challenge? Please describe what you are trying to do.

Currently PathPart::parse and by extension Path::parse disallow paths containing "unsafe" characters.

This feels unnecessarily puritanical given:

  • Most stores and filesystems do actually support UTF-8
  • We don't exclude characters that some filesystems don't support, e.g. : on Mac OSX
  • We don't exclude filenames that are forbidden on some systems, e.g. COM1 on Windows
  • We exclude characters that are fairly common, e.g. ~
  • We actually add % characters to paths, which the stores recommend against including in object names

Describe the solution you'd like

I think we should preserve the existing percent encoding behaviour when using the infallible methods, this gives people a safe default behaviour.

However, I would propose we change PathPart::parse to only reject segments that

  • Are "" or "." or ".."
  • Contain ASCII control characters
  • Contain a delimiter

This broadly conforms to what is supported by most filesystems - https://en.wikipedia.org/wiki/Filename

Describe alternatives you've considered

Additional context

apache/datafusion#8014

@crepererum
Copy link
Contributor

Do file-based object stores count as a "sandbox"? If so, we should probably double-check that there aren't some weird ways to escape the root directory via some bizarre unknown features.

Slightly related: do we follow symlinks?

@tustvold
Copy link
Contributor Author

tustvold commented Nov 1, 2023

Do file-based object stores count as a "sandbox"

I don't think we have ever billed it as such, I certainly wouldn't rely on it, but that doesn't mean people aren't using it as such.

do we follow symlinks

Yes and they can allow escaping the "sandbox", this is documented here - https://docs.rs/object_store/latest/object_store/local/struct.LocalFileSystem.html#symlinks

escape the root directory via some bizarre unknown features

We prevent relative paths, but there might be other ways I'm not aware of, especially on Windows.

tustvold added a commit that referenced this issue Nov 2, 2023
* Relax path safety (#5019)

* Review feedback

* WASM
@tustvold tustvold added the object-store Object Store Interface label Nov 2, 2023
@tustvold
Copy link
Contributor Author

tustvold commented Nov 2, 2023

label_issue.py automatically added labels {'object-store'} from #5020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Any new improvement worthy of a entry in the changelog object-store Object Store Interface
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants