Bug#1086654: python-django-storages: FTBFS: E django.core.exceptions.SuspiciousFileOperation: Detected path traversal attempt in '/foo'

Santiago Vila Sat, 02 Nov 2024 17:18:46 -0700

Package: src:python-django-storages
Version: 1.13.2-1
Severity: serious
Control: close -1 1.14.4-1
Tags: ftbfs bookworm


Dear maintainer:

During a rebuild of all packages in bookworm + proposed-updates, your package 
failed to build:

--------------------------------------------------------------------------------
[...]
 debian/rules binary
dh binary --with python3,sphinxdoc --buildsystem=pybuild
   dh_update_autotools_config -O--buildsystem=pybuild
   dh_autoreconf -O--buildsystem=pybuild
   dh_auto_configure -O--buildsystem=pybuild
I: pybuild base:240: python3.11 setup.py config
running config
   dh_auto_build -O--buildsystem=pybuild
I: pybuild base:240: /usr/bin/python3 setup.py build
running build
running build_py
creating /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
copying storages/utils.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
copying storages/base.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
copying storages/__init__.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
copying storages/compress.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
creating /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/azure_storage.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/sftpstorage.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/apache_libcloud.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/__init__.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/gcloud.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/s3boto3.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/dropbox.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/ftp.py -> 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
   dh_auto_test -O--buildsystem=pybuild
I: pybuild pybuild:307: cp -r /<<PKGBUILDDIR>>/tests 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build
I: pybuild base:240: cd /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build; 
python3.11 -m pytest --ignore=tests/integration
============================= test session starts ==============================
platform linux -- Python 3.11.2, pytest-7.2.1, pluggy-1.0.0+repack
rootdir: /<<PKGBUILDDIR>>
collected 152 items / 2 skipped

tests/test_dropbox.py .............F......F.                             [ 14%]
tests/test_ftp.py ...............................                        [ 34%]
tests/test_s3boto3.py .s...........................................      [ 64%]
tests/test_sftp.py .............................                         [ 83%]
tests/test_utils.py .........................                            [100%]

=================================== FAILURES ===================================
____________________________ DropBoxTest.test_save _____________________________

self = <tests.test_dropbox.DropBoxTest testMethod=test_save>
files_upload = <MagicMock name='files_get_metadata' id='139774506569680'>
args = (<MagicMock name='files_upload' id='139774506516880'>,)

    @mock.patch('dropbox.Dropbox.files_upload', return_value='foo')
    @mock.patch('dropbox.Dropbox.files_get_metadata', return_value=None)
    def test_save(self, files_upload, *args):

      name = self.storage.save('foo', File(io.BytesIO(b'bar'), 'foo'))


tests/test_dropbox.py:143:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/usr/lib/python3/dist-packages/django/core/files/storage.py:62: in save
    validate_file_name(name, allow_relative_path=True)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

name = '/foo', allow_relative_path = True

    def validate_file_name(name, allow_relative_path=False):
        # Remove potentially dangerous names
        if os.path.basename(name) in {'', '.', '..'}:
            raise SuspiciousFileOperation("Could not derive file name from 
'%s'" % name)

if allow_relative_path:

            # Ensure that name can be treated as a pure posix path, i.e. Unix
            # style (with forward slashes).
            path = pathlib.PurePosixPath(str(name).replace("\\", "/"))
            if path.is_absolute() or '..' in path.parts:

              raise SuspiciousFileOperation(

                    "Detected path traversal attempt in '%s'" % name
E                   django.core.exceptions.SuspiciousFileOperation: Detected 
path traversal attempt in '/foo'

/usr/lib/python3/dist-packages/django/core/files/utils.py:17: 
SuspiciousFileOperation
________________________ DropBoxRootPathTest.test_saves ________________________

self = <tests.test_dropbox.DropBoxRootPathTest testMethod=test_saves>
args = (<MagicMock name='files_get_metadata' id='139774506480144'>, <MagicMock 
name='files_upload' id='139774506473232'>, <MagicMock name='files_list_folder' 
id='139774505454928'>)

    @mock.patch('dropbox.Dropbox.files_upload', return_value='foo')
    @mock.patch('dropbox.Dropbox.files_get_metadata', return_value=None)
    def test_saves(self, *args):
        self.storage = dropbox.DropBoxStorage('foo', root_path='/bar')

      name = self.storage.save('xyz', File(io.BytesIO(b'abc'), 'def'))


tests/test_dropbox.py:207:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/usr/lib/python3/dist-packages/django/core/files/storage.py:62: in save
    validate_file_name(name, allow_relative_path=True)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

name = '/bar/xyz', allow_relative_path = True

    def validate_file_name(name, allow_relative_path=False):
        # Remove potentially dangerous names
        if os.path.basename(name) in {'', '.', '..'}:
            raise SuspiciousFileOperation("Could not derive file name from 
'%s'" % name)

if allow_relative_path:

            # Ensure that name can be treated as a pure posix path, i.e. Unix
            # style (with forward slashes).
            path = pathlib.PurePosixPath(str(name).replace("\\", "/"))
            if path.is_absolute() or '..' in path.parts:

              raise SuspiciousFileOperation(

                    "Detected path traversal attempt in '%s'" % name
E                   django.core.exceptions.SuspiciousFileOperation: Detected 
path traversal attempt in '/bar/xyz'

/usr/lib/python3/dist-packages/django/core/files/utils.py:17: 
SuspiciousFileOperation
=============================== warnings summary ===============================
../../../../../../usr/lib/python3/dist-packages/django/http/request.py:1
  /usr/lib/python3/dist-packages/django/http/request.py:1: DeprecationWarning: 
'cgi' is deprecated and slated for removal in Python 3.13
    import cgi

../../../../../../usr/lib/python3/dist-packages/django/utils/encoding.py:266
  /usr/lib/python3/dist-packages/django/utils/encoding.py:266: 
DeprecationWarning: Use setlocale(), getencoding() and getlocale() instead
    encoding = locale.getdefaultlocale()[1] or 'ascii'

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
=========================== short test summary info ============================
FAILED tests/test_dropbox.py::DropBoxTest::test_save - django.core.exceptions...
FAILED tests/test_dropbox.py::DropBoxRootPathTest::test_saves - django.core.e...
============= 2 failed, 149 passed, 3 skipped, 2 warnings in 0.75s =============
E: pybuild pybuild:388: test: plugin distutils failed with: exit code=1: cd 
/<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build; python3.11 -m pytest 
--ignore=tests/integration
dh_auto_test: error: pybuild --test --test-pytest -i python{version} -p 3.11 
returned exit code 13
make: *** [debian/rules:12: binary] Error 25
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
--------------------------------------------------------------------------------

The above is just how the build ends and not necessarily the most relevant part.
If required, the full build log is available here:

https://people.debian.org/~sanvila/build-logs/bookworm/

About the archive rebuild: The build was made on virtual machines
of type m6a.large and r6a.large from AWS, using sbuild and a
reduced chroot with only build-essential packages.

If you could not reproduce the bug please contact me privately, as I
am willing to provide ssh access to a virtual machine where the bug is
fully reproducible.

If this is really a bug in one of the build-depends, please use
reassign and affects, so that this is still visible in the BTS web
page for this package.


Note: The bug is closed with the version in trixie/sid, but
packages in bookworm must still build in bookworm.


Thanks.

Bug#1086654: python-django-storages: FTBFS: E django.core.exceptions.SuspiciousFileOperation: Detected path traversal attempt in '/foo'

Reply via email to