mirror of https://github.com/explosion/spaCy.git
Sanitize direct download (#13313)
The 'direct' option in 'spacy download' is supposed to only download from our model releases repository. However, users were able to pass in a relative path, allowing download from arbitrary repositories. This meant that a service that sourced strings from user input and which used the direct option would allow users to install arbitrary packages.
This commit is contained in:
parent
bff8725f4b
commit
0518c36f04
|
@ -1,5 +1,7 @@
|
|||
from wasabi import msg
|
||||
|
||||
# Needed for testing
|
||||
from . import download as download_module # noqa: F401
|
||||
from ._util import app, setup_cli # noqa: F401
|
||||
from .apply import apply # noqa: F401
|
||||
from .assemble import assemble_cli # noqa: F401
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
import sys
|
||||
from typing import Optional, Sequence
|
||||
from urllib.parse import urljoin
|
||||
|
||||
import requests
|
||||
import typer
|
||||
|
@ -63,6 +64,13 @@ def download(
|
|||
)
|
||||
pip_args = pip_args + ("--no-deps",)
|
||||
if direct:
|
||||
# Reject model names with '/', in order to prevent shenanigans.
|
||||
if "/" in model:
|
||||
msg.fail(
|
||||
title="Model download rejected",
|
||||
text=f"Cannot download model '{model}'. Models are expected to be file names, not URLs or fragments",
|
||||
exits=True,
|
||||
)
|
||||
components = model.split("-")
|
||||
model_name = "".join(components[:-1])
|
||||
version = components[-1]
|
||||
|
@ -153,7 +161,16 @@ def get_latest_version(model: str) -> str:
|
|||
def download_model(
|
||||
filename: str, user_pip_args: Optional[Sequence[str]] = None
|
||||
) -> None:
|
||||
download_url = about.__download_url__ + "/" + filename
|
||||
# Construct the download URL carefully. We need to make sure we don't
|
||||
# allow relative paths or other shenanigans to trick us into download
|
||||
# from outside our own repo.
|
||||
base_url = about.__download_url__
|
||||
# urljoin requires that the path ends with /, or the last path part will be dropped
|
||||
if not base_url.endswith("/"):
|
||||
base_url = about.__download_url__ + "/"
|
||||
download_url = urljoin(base_url, filename)
|
||||
if not download_url.startswith(about.__download_url__):
|
||||
raise ValueError(f"Download from {filename} rejected. Was it a relative path?")
|
||||
pip_args = list(user_pip_args) if user_pip_args is not None else []
|
||||
cmd = [sys.executable, "-m", "pip", "install"] + pip_args + [download_url]
|
||||
run_command(cmd)
|
||||
|
|
|
@ -12,7 +12,7 @@ from thinc.api import Config
|
|||
|
||||
import spacy
|
||||
from spacy import about
|
||||
from spacy.cli import info
|
||||
from spacy.cli import download_module, info
|
||||
from spacy.cli._util import parse_config_overrides, string_to_list, walk_directory
|
||||
from spacy.cli.apply import apply
|
||||
from spacy.cli.debug_data import (
|
||||
|
@ -1066,3 +1066,15 @@ def test_debug_data_trainable_lemmatizer_not_annotated():
|
|||
def test_project_api_imports():
|
||||
from spacy.cli import project_run
|
||||
from spacy.cli.project.run import project_run # noqa: F401, F811
|
||||
|
||||
|
||||
def test_download_rejects_relative_urls(monkeypatch):
|
||||
"""Test that we can't tell spacy download to get an arbitrary model by using a
|
||||
relative path in the filename"""
|
||||
|
||||
monkeypatch.setattr(download_module, "run_command", lambda cmd: None)
|
||||
|
||||
# Check that normal download works
|
||||
download_module.download("en_core_web_sm-3.7.1", direct=True)
|
||||
with pytest.raises(SystemExit):
|
||||
download_module.download("../en_core_web_sm-3.7.1", direct=True)
|
||||
|
|
Loading…
Reference in New Issue