Fix Projector Plugin vulnerability#7115
Conversation
| try: | ||
| if os.path.commonpath([config_dir, candidate]) != config_dir: | ||
| raise ValueError() | ||
| except ValueError as e: |
There was a problem hiding this comment.
Are there other possible ValueErrors that are expected besides the one we're raising? This seems a bit odd to me. Let's just raise the error with the proper error message directly?
There was a problem hiding this comment.
Updated this.
I changed it so we only catch ValueError from os.path.commonpath(...) itself and otherwise raise the final error message directly when the resolved path is outside the config directory.
Thanks!
| self.assertEqual(bookmark, {"a": "b"}) | ||
|
|
||
| def testMetadataRejectsTraversalOutsideLogdir(self): | ||
| outside_metadata_path = os.path.join( |
There was a problem hiding this comment.
These tests might be clearer and less error-prone if we use hard-coded, readable values, instead of relying on logic, e.g. /home/my_username/log_dir/ and /home/my_username/restricted_dir/
There was a problem hiding this comment.
Updated this.
I rewrote the setup to use explicit log_dir and restricted_dir directories and hard-coded readable traversal paths like ../restricted_dir/outside_metadata.tsv, so the boundary being tested is clearer.
Thanks!
3 participants
Summary
Fixes an arbitrary file read issue in the TensorBoard Projector plugin by restricting asset paths to the directory that contains
projector_config.pbtxt.Previously, user-controlled fields such as
metadata_path,tensor_path,bookmarks_path, andsprite.image_pathcould resolve to absolute paths or traversal paths outside the intended logdir/config directory. That allowed a malicious config to make TensorBoard read and return arbitrary local files from the host.What Changed
projector_config.pbtxt400response when a requested asset path is invalidSecurity Impact
This closes a path traversal / arbitrary local file read vector in the Projector plugin for deployments where an attacker can write or influence
projector_config.pbtxtcontents under a scanned logdir.Tests
Added projector integration coverage for:
metadata_pathusing traversal outside the logdirtensor_pathusing an absolute path outside the logdirbookmarks_pathusing an absolute path outside the logdirsprite.image_pathusing traversal outside the logdirValidation
Verified:
python -m py_compile tensorboard/plugins/projector/projector_plugin.py tensorboard/plugins/projector/projector_plugin_test.pybazel test //tensorboard/plugins/projector:projector_plugin_testRisk / Compatibility
Low risk for valid configurations.
This change may reject projector configs that previously referenced assets outside the config directory, but that behavior is now considered unsafe and is intentionally blocked.