Some tweaks to is_in_or_equal (#9020)

* Add code

* file_explorer test

* dont use fastapi

* Add code

* Update requirements.txt

* Ci security tweaks (#9010)

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* Ci security tweaks (#9012)

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* :[

* add cursor styling (#9003)

* Add min/max-imize button to gr.Image and gr.Gallery (#8964)

* add max/min-imize and zoom in and out to image preview

* add full screen icon to gallery

* add stories

* add changeset

* use native full screen api

* remove zoom in/out

* add changeset

* tweaks

* remove zoom prop

* fix ui test

* add annotated image btns

* add changeset

* format

* ruff format

* fix test

* remove

* tweak

* fix test

* format

* amend bool check

---------

Co-authored-by: gradio-pr-bot <gradio-pr-bot@users.noreply.github.com>
Co-authored-by: pngwn <hello@pngwn.io>

* Ci security tweaks (#9014)

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* asd

* :[

* asd

* asd (#9015)

* Ci security tweaks take seventy three (#9016)

* asd

* asd

* asd

* Ci security tweaks take seventy three (#9017)

* asd

* asd

* asd

* asd

* Ci security tweaks take seventy three (#9018)

* asd

* asd

* asd

* asd

* adsa

* asd

* Ci security tweaks take seventy three (#9019)

* asd

* asd

* asd

* asd

* adsa

* asd

* asd

* Website fixes for mobile  (#8857)

* better header for mobile

* add changeset

* nicer border

* style header

* better search overlay

* responsive changes

* more mobile responsiveness

* docs and guides mobile responsive

* formatting

* fix get started button

* fix header

* test without lite

* formatting

* secondary menu docs

* fix type overflow in paramtable

* playground header

* playground on mobile

* small changes

* formatting

* formatting

---------

Co-authored-by: gradio-pr-bot <gradio-pr-bot@users.noreply.github.com>

* Ci security tweaks take seventy three (#9025)

* asd

* asd

* asd

* asd

* adsa

* asd

* asd

* asd

* Ci security tweaks take seventy three (#9026)

* asd

* asd

* asd

* asd

* adsa

* asd

* asd

* asd

* fix

* asd (#9027)

* fix (#9028)

* Ci statuses (#9030)

* fix

* asd

* Update tests

* add changeset

* Add code

* add changeset

* Comments

---------

Co-authored-by: pngwn <hello@pngwn.io>
Co-authored-by: Hannah <hannahblair@users.noreply.github.com>
Co-authored-by: gradio-pr-bot <gradio-pr-bot@users.noreply.github.com>
Co-authored-by: Ali Abdalla <ali.si3luwa@gmail.com>

Author: 5 people

.changeset/ten-lands-change.md

@@ -0,0 +1,5 @@
+---
+"gradio": patch
+---
+
+feat:Some tweaks to is_in_or_equal

gradio/blocks.py

@@ -56,7 +56,13 @@
     get_render_context,
     set_render_context,
 )
-from gradio.data_classes import BlocksConfigDict, FileData, GradioModel, GradioRootModel
+from gradio.data_classes import (
+    BlocksConfigDict,
+    DeveloperPath,
+    FileData,
+    GradioModel,
+    GradioRootModel,
+)
 from gradio.events import (
     EventData,
     EventListener,
@@ -409,7 +415,7 @@ def __init__(
             render=render,
         )
 
-    TEMPLATE_DIR = "./templates/"
+    TEMPLATE_DIR = DeveloperPath("./templates/")
     FRONTEND_DIR = "../../frontend/"
 
     @property

gradio/components/base.py

@@ -19,7 +19,7 @@
 from gradio import utils
 from gradio.blocks import Block, BlockContext
 from gradio.component_meta import ComponentMeta
-from gradio.data_classes import BaseModel, GradioDataModel
+from gradio.data_classes import BaseModel, DeveloperPath, GradioDataModel
 from gradio.events import EventListener
 from gradio.layouts import Form
 from gradio.processing_utils import move_files_to_cache
@@ -228,7 +228,7 @@ def __init__(
 
         self.component_class_id = self.__class__.get_component_class_id()
 
-    TEMPLATE_DIR = "./templates/"
+    TEMPLATE_DIR = DeveloperPath("./templates/")
     FRONTEND_DIR = "../../frontend/"
 
     def get_config(self):

gradio/components/file_explorer.py

@@ -11,7 +11,8 @@
 from gradio_client.documentation import document
 
 from gradio.components.base import Component, server
-from gradio.data_classes import GradioRootModel
+from gradio.data_classes import DeveloperPath, GradioRootModel, UserProvidedPath
+from gradio.utils import safe_join
 
 if TYPE_CHECKING:
     from gradio.components import Timer
@@ -85,7 +86,7 @@ def __init__(
             )
             root_dir = root
             self._constructor_args[0]["root_dir"] = root
-        self.root_dir = os.path.abspath(root_dir)
+        self.root_dir = DeveloperPath(os.path.abspath(root_dir))
         self.glob = glob
         self.ignore_glob = ignore_glob
         valid_file_count = ["single", "multiple"]
@@ -202,11 +203,8 @@ def ls(self, subdirectory: list | None = None) -> list[dict[str, str]] | None:
 
         return folders + files
 
-    def _safe_join(self, folders):
-        combined_path = os.path.join(self.root_dir, *folders)
-        absolute_path = os.path.abspath(combined_path)
-        if os.path.commonprefix([self.root_dir, absolute_path]) != os.path.abspath(
-            self.root_dir
-        ):
-            raise ValueError("Attempted to navigate outside of root directory")
-        return absolute_path
+    def _safe_join(self, folders: list[str]):
+        if not folders or len(folders) == 0:
+            return self.root_dir
+        combined_path = UserProvidedPath(os.path.join(*folders))
+        return safe_join(self.root_dir, combined_path)

gradio/data_classes.py

@@ -8,7 +8,17 @@
 import shutil
 from abc import ABC, abstractmethod
 from enum import Enum, auto
-from typing import Any, Iterator, List, Literal, Optional, Tuple, TypedDict, Union
+from typing import (
+    Any,
+    Iterator,
+    List,
+    Literal,
+    NewType,
+    Optional,
+    Tuple,
+    TypedDict,
+    Union,
+)
 
 from fastapi import Request
 from gradio_client.documentation import document
@@ -21,6 +31,9 @@
 except ImportError:
     JsonValue = Any
 
+DeveloperPath = NewType("DeveloperPath", str)
+UserProvidedPath = NewType("UserProvidedPath", str)
+
 
 class CancelBody(BaseModel):
     session_hash: str

gradio/exceptions.py

@@ -98,3 +98,7 @@ def __str__(self):
 
 class ComponentDefinitionError(NotImplementedError):
     pass
+
+
+class InvalidPathError(ValueError):
+    pass

gradio/route_utils.py

@@ -42,7 +42,10 @@
 from starlette.types import ASGIApp, Message, Receive, Scope, Send
 
 from gradio import processing_utils, utils
-from gradio.data_classes import BlocksConfigDict, PredictBody
+from gradio.data_classes import (
+    BlocksConfigDict,
+    PredictBody,
+)
 from gradio.exceptions import Error
 from gradio.helpers import EventData
 from gradio.state_holder import SessionState

gradio/routes.py

@@ -18,7 +18,6 @@
 import json
 import mimetypes
 import os
-import posixpath
 import secrets
 import time
 import traceback
@@ -35,6 +34,7 @@
     Optional,
     Type,
     Union,
+    cast,
 )
 
 import fastapi
@@ -73,10 +73,13 @@
     ComponentServerBlobBody,
     ComponentServerJSONBody,
     DataWithFiles,
+    DeveloperPath,
     PredictBody,
     ResetBody,
     SimplePredictBody,
+    UserProvidedPath,
 )
+from gradio.exceptions import InvalidPathError
 from gradio.oauth import attach_oauth
 from gradio.route_utils import (  # noqa: F401
     CustomCORSMiddleware,
@@ -109,9 +112,18 @@
 
 mimetypes.init()
 
-STATIC_TEMPLATE_LIB = files("gradio").joinpath("templates").as_posix()  # type: ignore
-STATIC_PATH_LIB = files("gradio").joinpath("templates", "frontend", "static").as_posix()  # type: ignore
-BUILD_PATH_LIB = files("gradio").joinpath("templates", "frontend", "assets").as_posix()  # type: ignore
+STATIC_TEMPLATE_LIB = cast(
+    DeveloperPath,
+    files("gradio").joinpath("templates").as_posix(),  # type: ignore
+)
+STATIC_PATH_LIB = cast(
+    DeveloperPath,
+    files("gradio").joinpath("templates", "frontend", "static").as_posix(),  # type: ignore
+)
+BUILD_PATH_LIB = cast(
+    DeveloperPath,
+    files("gradio").joinpath("templates", "frontend", "assets").as_posix(),  # type: ignore
+)
 VERSION = get_package_version()
 
 
@@ -446,7 +458,7 @@ def get_config(request: fastapi.Request):
 
         @app.get("/static/{path:path}")
         def static_resource(path: str):
-            static_file = safe_join(STATIC_PATH_LIB, path)
+            static_file = routes_safe_join(STATIC_PATH_LIB, UserProvidedPath(path))
             return FileResponse(static_file)
 
         @app.get("/custom_component/{id}/{type}/{file_name}")
@@ -458,7 +470,6 @@ def custom_component_path(
             location = next(
                 (item for item in components if item["component_class_id"] == id), None
             )
-
             if location is None:
                 raise HTTPException(status_code=404, detail="Component not found.")
 
@@ -470,9 +481,14 @@ def custom_component_path(
             if module_path is None or component_instance is None:
                 raise HTTPException(status_code=404, detail="Component not found.")
 
-            path = safe_join(
-                str(Path(module_path).parent),
-                f"{component_instance.__class__.TEMPLATE_DIR}/{type}/{file_name}",
+            requested_path = utils.safe_join(
+                component_instance.__class__.TEMPLATE_DIR,
+                UserProvidedPath(f"{type}/{file_name}"),
+            )
+
+            path = routes_safe_join(
+                DeveloperPath(str(Path(module_path).parent)),
+                UserProvidedPath(requested_path),
             )
 
             key = f"{id}-{type}-{file_name}"
@@ -494,7 +510,7 @@ def custom_component_path(
 
         @app.get("/assets/{path:path}")
         def build_resource(path: str):
-            build_file = safe_join(BUILD_PATH_LIB, path)
+            build_file = routes_safe_join(BUILD_PATH_LIB, UserProvidedPath(path))
             return FileResponse(build_file)
 
         @app.get("/favicon.ico")
@@ -543,7 +559,7 @@ async def file(path_or_url: str, request: fastapi.Request):
 
             is_dir = abs_path.is_dir()
 
-            if in_blocklist or is_dir:
+            if is_dir or in_blocklist:
                 raise HTTPException(403, f"File not allowed: {path_or_url}.")
 
             created_by_app = False
@@ -1142,7 +1158,14 @@ async def upload_file(
                     name = f"tmp{secrets.token_hex(5)}"
                 directory = Path(app.uploaded_file_dir) / temp_file.sha.hexdigest()
                 directory.mkdir(exist_ok=True, parents=True)
-                dest = (directory / name).resolve()
+                try:
+                    dest = utils.safe_join(
+                        DeveloperPath(str(directory)), UserProvidedPath(name)
+                    )
+                except InvalidPathError as err:
+                    raise HTTPException(
+                        status_code=400, detail=f"Invalid file name: {name}"
+                    ) from err
                 temp_file.file.close()
                 # we need to move the temp file to the cache directory
                 # but that's possibly blocking and we're in an async function
@@ -1153,9 +1176,9 @@ async def upload_file(
                     os.rename(temp_file.file.name, dest)
                 except OSError:
                     files_to_copy.append(temp_file.file.name)
-                    locations.append(str(dest))
+                    locations.append(dest)
                 output_files.append(dest)
-                blocks.upload_file_set.add(str(dest))
+                blocks.upload_file_set.add(dest)
             if files_to_copy:
                 bg_tasks.add_task(
                     move_uploaded_files_to_cache, files_to_copy, locations
@@ -1218,32 +1241,22 @@ async def analytics_dashboard(key: str):
 ########
 
 
-def safe_join(directory: str, path: str) -> str:
-    """Safely path to a base directory to avoid escaping the base directory.
-    Borrowed from: werkzeug.security.safe_join"""
-    _os_alt_seps: List[str] = [
-        sep for sep in [os.path.sep, os.path.altsep] if sep is not None and sep != "/"
-    ]
-
+def routes_safe_join(directory: DeveloperPath, path: UserProvidedPath) -> str:
+    """Safely join the user path to the directory while performing some additional http-related checks,
+    e.g. ensuring that the full path exists on the local file system and is not a directory"""
     if path == "":
-        raise HTTPException(400)
+        raise fastapi.HTTPException(400)
     if route_utils.starts_with_protocol(path):
-        raise HTTPException(403)
-    filename = posixpath.normpath(path)
-    fullpath = os.path.join(directory, filename)
-    if (
-        any(sep in filename for sep in _os_alt_seps)
-        or os.path.isabs(filename)
-        or filename == ".."
-        or filename.startswith("../")
-        or os.path.isdir(fullpath)
-    ):
-        raise HTTPException(403)
-
-    if not os.path.exists(fullpath):
-        raise HTTPException(404, "File not found")
-
-    return fullpath
+        raise fastapi.HTTPException(403)
+    try:
+        fullpath = Path(utils.safe_join(directory, path))
+    except InvalidPathError as e:
+        raise fastapi.HTTPException(403) from e
+    if fullpath.is_dir():
+        raise fastapi.HTTPException(403)
+    if not fullpath.exists():
+        raise fastapi.HTTPException(404)
+    return str(fullpath)
 
 
 def get_types(cls_set: List[Type]):