-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
only allow relative paths in `load_uploaded_files? #461
Comments
The file paths are not meant to be mapped to internal structures. The base path that should always be the user workspace, so I'd expect a |
I'm also thinking about being future proof (e.g. loading files from another user), or allowing back-ends to go further than the official spec and workflows (e.g. supporting an out-of-band upload mechanism that uploads to something like |
For other users, I'd rather use either a new parameter to select the data source or load_url. Encoding that in the path and as such exposing internals doesn't seem like a good idea. Similarly, if you have other data sources, or alternatively a new process. |
I don't see a direct todo here, closing for now. If you think differently, please open a PR with a proposal. |
I think this is at least a todo here |
PRs are welcome. |
openeo-processes/proposals/load_uploaded_files.json
Lines 12 to 20 in 965bbae
Current regex allows paths that escape the user workspace, like
/etc/passwd
and../../etc/passwd
.Wouldn't it be cleaner to at least forbid absolute paths (starting with
/
)?The text was updated successfully, but these errors were encountered: