Skip to content

How do I safely disable all access to filesystem? #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jdimpson opened this issue Apr 26, 2023 · 1 comment · Fixed by #54
Closed

How do I safely disable all access to filesystem? #52

jdimpson opened this issue Apr 26, 2023 · 1 comment · Fixed by #54

Comments

@jdimpson
Copy link

jdimpson commented Apr 26, 2023
edited
Loading

This is likely a feature request, unless I've missed something.

In many cases I'd prefer my HTTPServer application define all possible valid URLs as server routes to python handlers, and any invalid URL request immediately returns a 404 error. No going to the file system when a route handler is not found.

In older versions of the library, I would create the server like this:
server = HTTPServer(pool, "undef")server = HTTPServer(pool)

And then use @server.route("/...") pragmas to define all URLs.

At some point since I last updated, the interface to HTTPServer changed so that it requires a second argument, that for root_path. In the documentation, the example is:
server = HTTPServer(pool, "/static")

I'd prefer to prevent any attempt to access the filesystem. I know I could pass a nonexistent file/folder as root_path, which would cause all filesystem I/O attempts to raise an error. But that would cause unnecessary file system I/O for every route handler miss, and perhaps more importantly, it is confusing to someone looking at the code. They'd wonder why the given root_path folder didn't exist. It also causes an error message, saying which file was not found, back to the client, which might encourage someone to try manipulating URL paths in an attempt to access "private" data on the filesystem.

My first thought was to try this:
server = HTTPServer(pool, None)

However, if a client requests a URL with path that has no route handler, HTTPServer.poll() will do an HTTPResponse.send_file(), which eventually does root_path.endswith(). This causes an AttributeError to be raised because None is not a string in this case. Would it be possible to have an option to instruct HTTPServer to never check the file system?

To do this, I'd suggest that HTTPServer.poll() checks if root_path is None before calling HTTPResponse.send_file() . If so, it would raise FileNotExistsError to directly cause a 404 response, without going to the filesystem.

Thank you for your consideration, and for all of your hard work making this software.

Edited for typos. And clarity.
@michalpokusa
Copy link
Contributor

Makes sense. In my opinion we could default root_path to None and, as you suggested, skip .send_file() if it is not set. I will include it in the incomming 4.0.0 PR. Thanks for suggestion. 👍

For now the workaround for this is server = HTTPServer(pool, "/empty-folder").

As to manipulating URLs, recently there was a PR that prevents that. In 4.0.0 there will be also support for Basic and Bearer authentication so you will be able to futher protect your resources.

@michalpokusa michalpokusa mentioned this issue Apr 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@jdimpson @michalpokusa