diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..9840c65f5c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,15 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 2.x | :white_check_mark: | + + +## Reporting a Vulnerability + +If you discover a security vulnerability, we would be very grateful if you could email us at team@gradio.app. This is the preferred approach instead of opening a public issue. We take all vulnerability reports seriously, and will work to patch the vulnerability immediately. Whenever possible, we will credit the person or people who report the security vulnerabilities after it has been patched. diff --git a/gradio.egg-info/PKG-INFO b/gradio.egg-info/PKG-INFO index 6361cdd5ec..2e1d8ed1a7 100644 --- a/gradio.egg-info/PKG-INFO +++ b/gradio.egg-info/PKG-INFO @@ -1,6 +1,6 @@ Metadata-Version: 1.0 Name: gradio -Version: 2.4.7b9 +Version: 2.5.1 Summary: Python library for easily interacting with trained machine learning models Home-page: https://github.com/gradio-app/gradio-UI Author: Abubakar Abid diff --git a/gradio/networking.py b/gradio/networking.py index 5bb27edf1c..c7c94653af 100644 --- a/gradio/networking.py +++ b/gradio/networking.py @@ -377,15 +377,14 @@ def interpret(): @app.route("/file/", methods=["GET"]) @login_check def file(path): - path = secure_filename(path) if app.interface.encrypt and isinstance(app.interface.examples, str) and path.startswith(app.interface.examples): - with open(os.path.join(app.cwd, path), "rb") as encrypted_file: + with open(safe_join(app.cwd, path), "rb") as encrypted_file: encrypted_data = encrypted_file.read() file_data = encryptor.decrypt( app.interface.encryption_key, encrypted_data) return send_file(io.BytesIO(file_data), attachment_filename=os.path.basename(path)) else: - return send_file(os.path.join(app.cwd, path)) + return send_file(safe_join(app.cwd, path)) @app.route("/api/queue/push/", methods=["POST"]) diff --git a/gradio/version.txt b/gradio/version.txt index 7ea4b014fa..437459cd94 100644 --- a/gradio/version.txt +++ b/gradio/version.txt @@ -1 +1 @@ -2.4.7b9 +2.5.0 diff --git a/setup.py b/setup.py index 18d4e53288..66e443d665 100644 --- a/setup.py +++ b/setup.py @@ -5,7 +5,7 @@ except ImportError: setup( name='gradio', - version='2.4.7b9', + version='2.5.1', include_package_data=True, description='Python library for easily interacting with trained machine learning models', author='Abubakar Abid', diff --git a/test/test_networking.py b/test/test_networking.py index 6afd176723..4adc7c3d9f 100644 --- a/test/test_networking.py +++ b/test/test_networking.py @@ -71,6 +71,11 @@ class TestFlaskRoutes(unittest.TestCase): response = self.client.get('/api/') self.assertEqual(response.status_code, 200) + def test_static_files_served_safely(self): + # Make sure things outside the static folder are not accessible + response = self.client.get(r'/static/..%2f..%2fapi_docs.html') + self.assertEqual(response.status_code, 500) + def test_get_config_route(self): response = self.client.get('/config/') self.assertEqual(response.status_code, 200)