Resolve relative paths before comparing row.localFile to uploads_base_path

Jesse Whitehouse · Jesse Whitehouse · commit 34a0362a81de · 2022-12-20T15:43:07.000-06:00
Applies feedback from PR review

Signed-off-by: Jesse Whitehouse &lt;jesse.whitehouse@databricks.com&gt;
diff --git a/src/databricks/sql/client.py b/src/databricks/sql/client.py
@@ -312,18 +312,23 @@ def _handle_staging_operation(self, uploads_base_path: str):
             raise Error(
                 "You must provide an uploads_base_path when initialising a connection to perform ingestion commands"
             )
-        
+
         row = self.active_result_set.fetchone()
 
+        # Must set to None in cases where server response does not include localFile
+        abs_localFile = None
+
         if getattr(row, "localFile", None):
-            if os.path.commonpath([row.localFile, uploads_base_path]) != uploads_base_path:
+            abs_localFile = os.path.abspath(row.localFile)
+            abs_uploads_base_path = os.path.abspath(uploads_base_path)
+            if os.path.commonpath([abs_localFile, abs_uploads_base_path]) != abs_uploads_base_path:
                 raise Error("Local file operations are restricted to paths within the configured uploads_base_path")
 
         # TODO: Experiment with DBR sending real headers.
         # The specification says headers will be in JSON format but the current null value is actually an empty list []
         handler_args = {
             "presigned_url": row.presignedUrl,
-            "local_file": getattr(row, "localFile", None),
+            "local_file": abs_localFile,
             "headers": json.loads(row.headers or "{}"),
         }
 
diff --git a/tests/e2e/driver_tests.py b/tests/e2e/driver_tests.py
@@ -741,6 +741,24 @@ def test_staging_ingestion_put_fails_if_localFile_not_in_uploads_base_path(self)
                 query = f"PUT '{temp_path}' INTO 'stage://tmp/{self.staging_ingestion_user}/tmp/11/15/file1.csv' OVERWRITE"
                 cursor.execute(query)
 
+    def test_staging_ingestion_put_fails_if_absolute_localFile_not_in_uploads_base_path(self):
+        """
+        This test confirms that uploads_base_path and target_file are resolved into absolute paths.
+        """
+
+        # If these two paths are not resolved absolutely, they appear to share a common path of /var/www/html
+        # after resolution their common path is only /var/www which should raise an exception
+        # Because the common path must always be equal to uploads_base_path
+        uploads_base_path = "/var/www/html"
+        target_file = "/var/www/html/../html1/not_allowed.html"
+
+        with pytest.raises(Error):
+            with self.connection(extra_params={"uploads_base_path": uploads_base_path}) as conn:
+                cursor = conn.cursor()
+                query = f"PUT '{target_file}' INTO 'stage://tmp/{self.staging_ingestion_user}/tmp/11/15/file1.csv' OVERWRITE"
+                cursor.execute(query)
+
+
 
 def main(cli_args):
     global get_args_from_env
