Deny git access to nested server root (#1278)

* Deny git access to nested server root

* Clean up code

* Shift code logic to server side

* Remove redundant utility function

* Restore unintended line deletion

* Enable path parsing for windows and linux

* Remove un-needed response attributes

* Add test case

* Replace test for new case

* Add trailing slash

Co-authored-by: Frédéric Collonval <fcollonval@users.noreply.github.com>

* Fix testcase

Co-authored-by: Frédéric Collonval <fcollonval@users.noreply.github.com>

* Fix format

---------

Co-authored-by: Frédéric Collonval <fcollonval@users.noreply.github.com>
Co-authored-by: Frédéric Collonval <fcollonval@gmail.com>

Author: Zxun2

.gitignore

@@ -135,4 +135,7 @@ dmypy.json
 .vscode
 
 # vim stuff
-*.swp
+*.swp
+
+# virtual env
+venv/

jupyterlab_git/git.py

@@ -950,7 +950,7 @@ async def show_top_level(self, path):
                 "message": my_error,
             }
 
-    async def show_prefix(self, path):
+    async def show_prefix(self, path, contents_manager):
         """
         Execute git --show-prefix command & return the result.
         """
@@ -959,9 +959,28 @@ async def show_prefix(self, path):
             cmd,
             cwd=path,
         )
+
         if code == 0:
-            result = {"code": code, "path": my_output.strip("\n")}
-            return result
+            relative_git_path = my_output.strip("\n")
+            repository_path = (
+                path[: -len(relative_git_path)] if relative_git_path else path
+            )
+            try:
+                # Raise an error is the repository_path is not a subpath of root_dir
+                Path(repository_path).absolute().relative_to(
+                    Path(contents_manager.root_dir).absolute()
+                )
+            except ValueError:
+                return {
+                    "code": code,
+                    "path": None,
+                }
+            else:
+                result = {
+                    "code": code,
+                    "path": relative_git_path,
+                }
+                return result
         else:
             # Handle special case where cwd not inside a git repo
             lower_error = my_error.lower()

jupyterlab_git/handlers.py

@@ -174,7 +174,8 @@ async def post(self, path: str = ""):
         POST request handler, displays the prefix path of a directory in a repository,
         with respect to the root directory.
         """
-        result = await self.git.show_prefix(self.url2localpath(path))
+        local_path, cm = self.url2localpath(path, with_contents_manager=True)
+        result = await self.git.show_prefix(local_path, cm)
 
         if result["code"] != 0:
             self.set_status(500)

jupyterlab_git/tests/test_handlers.py

@@ -10,6 +10,8 @@
 from .testutils import assert_http_error, maybe_future
 from tornado.httpclient import HTTPClientError
 
+from pathlib import Path
+
 
 def test_mapping_added():
     mock_web_app = Mock()
@@ -112,6 +114,35 @@ async def test_git_show_prefix(mock_execute, jp_fetch, jp_root_dir):
     )
 
 
+@patch("jupyterlab_git.git.execute")
+async def test_git_show_prefix_nested_directory(mock_execute, jp_fetch, jp_root_dir):
+    mock_execute.return_value = maybe_future((0, f"{jp_root_dir.name}/", ""))
+    # When
+    response = await jp_fetch(
+        NAMESPACE,
+        "show_prefix",
+        body="{}",
+        method="POST",
+    )
+    # Then
+    assert response.code == 200
+    payload = json.loads(response.body)
+    assert payload["path"] is None
+    mock_execute.assert_has_calls(
+        [
+            call(
+                ["git", "rev-parse", "--show-prefix"],
+                cwd=str(jp_root_dir) + "/",
+                timeout=20,
+                env=None,
+                username=None,
+                password=None,
+                is_binary=False,
+            ),
+        ]
+    )
+
+
 async def test_git_show_prefix_for_excluded_path(
     jp_fetch, jp_server_config, jp_root_dir
 ):