Re: [PR] fix(extensions-cli): constrain backend include patterns to the backend directory [superset]

Mon, 08 Jun 2026 09:43:19 -0700 


rusackas commented on code in PR #40593:
URL: https://github.com/apache/superset/pull/40593#discussion_r3374889283


##########
superset-extensions-cli/src/superset_extensions_cli/cli.py:
##########
@@ -239,12 +239,30 @@ def copy_backend_files(cwd: Path) -> None:
 
     # Process include patterns
     for pattern in include_patterns:
+        # Include patterns are only meant to select files within the backend
+        # directory. Reject absolute patterns or ones that walk outside it via
+        # parent ("..") components before handing them to glob().
+        pattern_parts = Path(pattern).parts
+        if Path(pattern).is_absolute() or ".." in pattern_parts:
+            raise click.ClickException(
+                f"Invalid include pattern {pattern!r}: patterns must be "
+                "relative to the backend directory and may not contain '..'."
+            )
         for f in backend_dir.glob(pattern):
             if not f.is_file():
                 continue
 
+            # Defense in depth: confirm the matched file resolves to a location
+            # inside the backend directory before copying it into the bundle.
+            resolved = f.resolve()
+            if not resolved.is_relative_to(backend_dir):
+                raise click.ClickException(
+                    f"Refusing to copy {f}: resolved path is outside the "
+                    f"backend directory {backend_dir}."
+                )
+
             # Check exclude patterns
-            relative_path = f.relative_to(backend_dir)
+            relative_path = resolved.relative_to(backend_dir)

Review Comment:
   Good catch — fixed in 8687268. The boundary check still runs against the 
resolved path, but the bundle-relative path and exclude evaluation now use the 
matched path (`f.relative_to(backend_dir)`) instead of the resolved symlink 
target. So symlinked files inside `backend/` are staged at their configured 
path rather than under the target location, and excludes apply to the 
configured path. Added a test covering the symlink case.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to