Postprocess hardening

[freddyaboulton]

Description

Ensures only files located in the current working directory or tempdir are able to be moved to the cache

🎯 PRs Should Target Issues

Before your create a PR, please check to see if there is an existing issue for this change. If not, please create an issue before you create this PR, unless the fix is very small.

Not adhering to this guideline will result in the PR being closed.

Tests

1. PRs will only be merged if tests pass on CI. To run the tests locally, please set up your Gradio environment locally and run the tests: bash scripts/run_all_tests.sh

2. You may need to run the linters: bash scripts/format_backend.sh and bash scripts/format_frontend.sh

[gradio-pr-bot]

🪼 branch checks and previews

•	Name	Status	URL
	Website	ready!	Website preview
🦄	Changes	detected!	Details

[gradio-pr-bot]

🦄 change detected

This Pull Request includes changes to the following packages.

Package	Version
gradio	minor

• Maintainers can select this checkbox to manually select packages to update.

With the following changelog entry.

Postprocess hardening

Maintainers or the PR author can modify the PR title to modify this entry.

Something isn't right?

• Maintainers can change the version label to modify the version bump.
• If the bot has failed to detect any changes, or if this pull request needs to update multiple packages to different versions or requires a more comprehensive changelog entry, maintainers can update the changelog file directly.

[freddyaboulton]

According to the unit tests, we actually don't raise 404 if the file does not exist

[abidlabs]

Interesting, why do we set it here and not in the init of Blocks?

[freddyaboulton]

I thought this would be more "future proof" as it's the most up to date version of the Blocks before any sort of processing happens. But I don't think we need this actually.

[freddyaboulton]

We need this to be done after init for is_running to be set. I think actually this is a good place for it.

[abidlabs]

suggest putting this import at top of file

[freddyaboulton]

Done

[abidlabs]

I would add something like, "if you'd like to specifically allow this file to be served, you can add it to the allowed_paths parameter of launch()"

[freddyaboulton]

done

[abidlabs]

same^

[abidlabs]

Cool idea to use the fuzzer here. But if I'm understanding correctly, randomly generating paths is very, very unlikely to produce any overlaps between the parameters, right? So this is actually unlikely to test what happens if a path is in blocked_paths or allowed_paths or file_sets? Perhaps part of the path should be manually specified or the values should be chosen from a set with smaller cardinality

[freddyaboulton]

I greatly reduced the cardinality of the allowed possible paths set and also added some corner cases manually in a different test.

[abidlabs]

nit: it would be better to set an allowed flag here, and raise a single 403 later, after the utils.is_allowed_file has completed so that malicious attackers cannot using timing attacks to infer whether a particular filepath even exists (that itself can be insecure in certain settings)

[freddyaboulton]

Yea good call.

[abidlabs]

Note: I believe the gr.Code component is still vulnerable to attacks since in postprocess(), we simply read the file and return its contents to users. I think we just should just deprecate letting gr.Code taking in a tuple value

[abidlabs]

Left some comments but overall this works great. Good stuff @freddyaboulton, will go ahead and approve