Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(security) Path Traversal #3474

Closed
merelcht opened this issue Jan 3, 2024 · 2 comments
Closed

(security) Path Traversal #3474

merelcht opened this issue Jan 3, 2024 · 2 comments
Assignees
@noklam @ankatiyar

Comments

@merelcht
Copy link
Member

merelcht commented Jan 3, 2024

Description

Flagged by Snyk as Medium priority

Context

https://github.com/kedro-org/kedro/blob/main/kedro/framework/project/__init__.py#L218-L220

Screenshot 2024-01-03 at 16 03 12

Possible Implementation

Screenshot 2024-01-03 at 16 05 47
@merelcht merelcht moved this to To Do in Kedro Framework Jan 22, 2024
@ankatiyar ankatiyar moved this from To Do to In Progress in Kedro Framework Jan 23, 2024
@noklam noklam mentioned this issue Jan 29, 2024
Closed
@noklam noklam linked a pull request Jan 30, 2024 that will close this issue
Draft - path traversal #3577
Closed
7 tasks
@noklam noklam mentioned this issue Jan 30, 2024
Closed
7 tasks
@ankatiyar
Copy link
Contributor

Summary

In discussion with @noklam and @merelcht -

The only way to silence the Snyk warning is to check the path provided by the env variable KEDRO_LOGGING_CONFIG is inside a "safe directory". This isn't very easy to solve since we don't know in advance where the user's logging.yml will be.
Even if we could assume that the logging config file is within the project(project_path) or in the conf_source but those values are accessible when a session is created which happens much later after the logging has been set up. Also, with the addition of the ability of specifying conf-source, the conf is not necessarily located in the project and/or could be a zip/tar file.

The decision then is to make no changes to address this but rely on the user to make sure that the path to the logging file is not arbitrary.

@github-project-automation github-project-automation bot moved this from In Progress to Done in Kedro Framework Jan 31, 2024
@noklam
Copy link
Contributor

noklam commented Jan 31, 2024

To supplement this. it's fair to say that it's the user's responsibility to make sure they use a trusted file for the logging. If the Kedro pipeline is exposed via API or embedded in application. We recommend not to expose KEDRO_LOGGING_CONFIG to any external input to avoid this potential vulnerability.

@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noklam noklam

@ankatiyar ankatiyar

Labels
None yet
Projects
Kedro Framework
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Draft - path traversal kedro-org/kedro
3 participants
@noklam @merelcht @ankatiyar