Merge pull request from GHSA-v7x4-rhpg-3p2r

Use safe_open instead of open

Author: stsewd

readthedocs/core/tests/test_filesystem_utils.py

@@ -7,7 +7,7 @@
 
 from readthedocs.core.utils.filesystem import safe_copytree, safe_open, safe_rmtree
 from readthedocs.doc_builder.exceptions import (
-    FileIsNotRegularFile,
+    FileTooLarge,
     SymlinkOutsideBasePath,
     UnsupportedSymlinkFileError,
 )
@@ -103,6 +103,26 @@ def test_open(self):
             )
             self.assertIsNotNone(context_manager)
 
+    def test_open_large_file(self):
+        root_directory = Path(mkdtemp())
+        docroot_path = root_directory
+        file_a = root_directory / "test.txt"
+        file_a.write_bytes(b"0" * (1024 * 2))
+
+        with override_settings(DOCROOT=docroot_path):
+            with pytest.raises(FileTooLarge):
+                safe_open(file_a, max_size_bytes=1024)
+
+    def test_write_file(self):
+        root_directory = Path(mkdtemp())
+        docroot_path = root_directory
+        file_a = root_directory / "test.txt"
+
+        with override_settings(DOCROOT=docroot_path):
+            with safe_open(file_a, mode="w") as f:
+                f.write("Hello World")
+            self.assertEqual(file_a.read_text(), "Hello World")
+
     def test_open_outside_docroot(self):
         root_directory = Path(mkdtemp())
         docroot_path = Path(mkdtemp())

readthedocs/core/utils/filesystem.py

@@ -14,12 +14,14 @@
 
 from readthedocs.doc_builder.exceptions import (
     FileIsNotRegularFile,
+    FileTooLarge,
     SymlinkOutsideBasePath,
     UnsupportedSymlinkFileError,
 )
 
 log = structlog.get_logger(__name__)
 
+MAX_FILE_SIZE_BYTES = 1024 * 1024 * 1024 * 1  # 1 GB
 
 def _assert_path_is_inside_docroot(path):
     resolved_path = path.absolute().resolve()
@@ -32,13 +34,21 @@ def _assert_path_is_inside_docroot(path):
         raise SuspiciousFileOperation(path)
 
 
-def safe_open(path, *args, allow_symlinks=False, base_path=None, **kwargs):
+def safe_open(
+    path,
+    *args,
+    allow_symlinks=False,
+    base_path=None,
+    max_size_bytes=MAX_FILE_SIZE_BYTES,
+    **kwargs
+):
     """
     Wrapper around path.open() to check for symlinks.
 
     - Checks for symlinks to avoid symlink following vulnerabilities
        like GHSA-368m-86q9-m99w.
     - Checks that files aren't out of the DOCROOT directory.
+    - Checks that files aren't too large.
 
     :param allow_symlinks: If `False` and the path is a symlink, raise `FileIsSymlink`
      This prevents reading the contents of other files users shouldn't have access to.
@@ -47,6 +57,7 @@ def safe_open(path, *args, allow_symlinks=False, base_path=None, **kwargs):
      (usually the directory where the project was cloned).
      It must be given if `allow_symlinks` is set to `True`.
      This prevents path traversal attacks (even when using symlinks).
+    :param max_size_bytes: Maximum file size allowed in bytes when reading a file.
 
     The extra *args and **kwargs will be passed to the open() method.
 
@@ -56,7 +67,7 @@ def safe_open(path, *args, allow_symlinks=False, base_path=None, **kwargs):
        Users shouldn't be able to change files while this operation is done.
     """
     if allow_symlinks and not base_path:
-        raise ValueError("base_path mut be given if symlinks are allowed.")
+        raise ValueError("base_path must be given if symlinks are allowed.")
 
     path = Path(path).absolute()
 
@@ -74,6 +85,12 @@ def safe_open(path, *args, allow_symlinks=False, base_path=None, **kwargs):
     # Expand symlinks.
     resolved_path = path.resolve()
 
+    if resolved_path.exists():
+        file_size = resolved_path.stat().st_size
+        if file_size > max_size_bytes:
+            log.info("File is too large.", size_bytes=file_size)
+            raise FileTooLarge(path)
+
     if allow_symlinks and base_path:
         base_path = Path(base_path).absolute()
         if not resolved_path.is_relative_to(base_path):

readthedocs/doc_builder/backends/mkdocs.py

@@ -214,7 +214,7 @@ def append_conf(self):
             docs_dir=os.path.relpath(docs_path, self.project_path),
             mkdocs_config=user_config,
         )
-        with open(
+        with safe_open(
             os.path.join(docs_path, "readthedocs-data.js"), "w", encoding="utf-8"
         ) as f:
             f.write(rtd_data)
@@ -231,7 +231,7 @@ def append_conf(self):
                 user_config['theme'] = self.DEFAULT_THEME_NAME
 
         # Write the modified mkdocs configuration
-        with open(self.yaml_file, "w", encoding="utf-8") as f:
+        with safe_open(self.yaml_file, "w", encoding="utf-8") as f:
             yaml_dump_safely(
                 user_config,
                 f,

readthedocs/doc_builder/exceptions.py

@@ -140,3 +140,10 @@ class FileIsNotRegularFile(UnsupportedSymlinkFileError):
 
 class SymlinkOutsideBasePath(UnsupportedSymlinkFileError):
     pass
+
+
+class FileTooLarge(BuildUserError):
+    message = gettext_noop(
+        "A file from your build process is too large to be processed by Read the Docs. "
+        "Please ensure no files generated are larger than 1GB."
+    )