Revert "Allow staticfiles to follow symlinks outside directory"

[Kludex]

• Reverts Allow staticfiles to follow symlinks outside directory #1377

[Kludex]

Ok. The incident has been resolved. It's time to explain what happened.

Description

Last night, we received a message on Gitter asking for a secure communication channel to report a security issue (much appreciated btw). I sent a message to that person, with @tomchristie in cc. Promptly, they replied with the following message:

There was also an application to reproduce the issue attached:

import uvicorn
from starlette.applications import Starlette
from starlette.routing import Mount
from starlette.staticfiles import StaticFiles

app = Starlette(
    routes=[
        Mount('/static', app=StaticFiles(directory='static')),
    ]
)

if __name__ == '__main__':
    uvicorn.run('main:app')

As mentioned, the problem was that we were allowing any symlink outside the specified directory from StaticFiles to be exposed. You can see the snippet that introduced it below.

starlette/starlette/staticfiles.py

Lines 166 to 175 in d3dccdc

	try:
	stat_result = os.lstat(original_path)
	full_path.relative_to(directory)
	return full_path, stat_result
	except ValueError:
	# Allow clients to break out of the static files directory
	# if following symlinks.
	if stat.S_ISLNK(stat_result.st_mode):
	stat_result = os.lstat(full_path)
	return full_path, stat_result

How this happened? How to avoid it in the future?

There were three reviewers on the PR that introduced the security issue, and two approvals (mine included). Even with that, we failed to see the issue.

As a self evaluation, and retrospective, I think this incident could have been avoided if we either had paid more attention, or maybe don't being overconfident about our knowledge on the pathlib module, or the same for the syscalls involved. In any case, we interpreted the logic flow wrong.

What we did to solve the issue?

As soon as the report was received, we reverted the PR, created a new release, and "yanked" the previous one on PyPI.

The version 0.20.2 was live for less than three days. It's also good to mention that none of the FastAPI users were affected.

Lessons learned

• We need a security report policy, to allow a secure channel to report issues.
• Being too cautious and push back PRs is not a problem.

Notes:

• I didn't expose the person who reported the issue, because I didn't ask, but I'd be more than happy to give merits if they allow me to do so! :)

EDIT: As @m1ckey said some words below, I guess I can now give the merits to him. Thanks so much @m1ckey! ❤️ 🏆

[tiangolo]

Thanks a lot for doing this, the quick response, and the full report!

[m1ckey]

Thank you for the professional handling.
I am happy that I could help to improve Starlette. 🌟