Skip to content

Fix FileExplorer preprocess path traversal#13050

Closed
api2062 wants to merge 3 commits intogradio-app:mainfrom
api2062:api2062/13043
Closed

Fix FileExplorer preprocess path traversal#13050
api2062 wants to merge 3 commits intogradio-app:mainfrom
api2062:api2062/13043

Conversation

@api2062
Copy link
Copy Markdown

@api2062 api2062 commented Mar 21, 2026

Description

Closes: #13043

This PR fixes a path traversal bug in FileExplorer.preprocess().

preprocess() previously used direct path joins on client-provided segments (payload.root) and did not apply the same safety checks already used in ls(). This allowed .. segments to escape root_dir.

Changes made:

  • Use self._safe_join(...) in preprocess() for single-file mode.
  • Use self._safe_join(...) in preprocess() for multiple-file mode.
  • Add regression tests to ensure traversal inputs raise InvalidPathError in both modes.

Validation run:

  • python -m pytest -q test/components/test_file_explorer.py (5 passed)
  • bash scripts/format_backend.sh

kumquat

AI Disclosure

  • I used AI to help draft and verify the code/test changes and PR text.
  • I did not use AI

🎯 PRs Should Target Issues

This PR targets an existing issue: #13043.

Testing and Formatting Your Code

  • Ran targeted backend tests for this change.
  • Ran backend formatting/type checks for this branch.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 21, 2026

This PR has been flagged as AI generated and labelled accordingly.

@api2062 api2062 marked this pull request as ready for review March 21, 2026 04:46
@gradio-pr-bot
Copy link
Copy Markdown
Collaborator

gradio-pr-bot commented Mar 23, 2026
edited
Loading

🪼 branch checks and previews

Name Status URL
Spaces ready! Spaces preview
Website ready! Website preview
🦄 Changes detected! Details

Install Gradio from this PR

pip install https://gradio-pypi-previews.s3.amazonaws.com/cb5d38e3f848db638fae8c18fba710b402470b9a/gradio-6.9.0-py3-none-any.whl

Install Gradio Python Client from this PR

pip install "gradio-client @ git+https://github.com/gradio-app/gradio@cb5d38e3f848db638fae8c18fba710b402470b9a#subdirectory=client/python"

Install Gradio JS Client from this PR

npm install https://gradio-npm-previews.s3.amazonaws.com/cb5d38e3f848db638fae8c18fba710b402470b9a/gradio-client-2.1.0.tgz

@gradio-pr-bot
Copy link
Copy Markdown
Collaborator

gradio-pr-bot commented Mar 23, 2026

🦄 change detected

This Pull Request includes changes to the following packages.

Package Version
gradio minor
  • Fix FileExplorer preprocess path traversal

‼️ Changeset not approved. Ensure the version bump is appropriate for all packages before approving.

  • Maintainers can approve the changeset by checking this checkbox.

Something isn't right?
  • Maintainers can change the version label to modify the version bump.
  • If the bot has failed to detect any changes, or if this pull request needs to update multiple packages to different versions or requires a more comprehensive changelog entry, maintainers can update the changelog file directly.

@freddyaboulton
Copy link
Copy Markdown
Collaborator

freddyaboulton commented Mar 23, 2026

Hi @api2062 - I closed the issue this PR is targeting since it was not a real issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai-generated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@api2062 @gradio-pr-bot @freddyaboulton