-
Notifications
You must be signed in to change notification settings - Fork 847
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax Path Safety on Parse #5019
Comments
Do file-based object stores count as a "sandbox"? If so, we should probably double-check that there aren't some weird ways to escape the root directory via some bizarre unknown features. Slightly related: do we follow symlinks? |
I don't think we have ever billed it as such, I certainly wouldn't rely on it, but that doesn't mean people aren't using it as such.
Yes and they can allow escaping the "sandbox", this is documented here - https://docs.rs/object_store/latest/object_store/local/struct.LocalFileSystem.html#symlinks
We prevent relative paths, but there might be other ways I'm not aware of, especially on Windows. |
|
Is your feature request related to a problem or challenge? Please describe what you are trying to do.
Currently
PathPart::parse
and by extensionPath::parse
disallow paths containing "unsafe" characters.This feels unnecessarily puritanical given:
:
on Mac OSXCOM1
on Windows~
%
characters to paths, which the stores recommend against including in object namesDescribe the solution you'd like
I think we should preserve the existing percent encoding behaviour when using the infallible methods, this gives people a safe default behaviour.
However, I would propose we change
PathPart::parse
to only reject segments that""
or"."
or".."
This broadly conforms to what is supported by most filesystems - https://en.wikipedia.org/wiki/Filename
Describe alternatives you've considered
Additional context
apache/datafusion#8014
The text was updated successfully, but these errors were encountered: