almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-30 10:42:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

container: Copy files before mounting them

Browse source 
Copy input files in a temporary dir before mounting them, thereby
changing their permissions, without affecting the original files. This
way, we can avoid cases where a file is accessible to the user only due
to a supplemental user group, which does not work for containers.

Fixes #157
Fixes #260
Fixes #335
This commit is contained in:
Alex Pyrgiotis 2023-02-09 00:44:53 +02:00
parent ea73f5d820
commit 2042591964
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
dangerzone/isolation_provider/container.py
View file

@ -220,10 +220,13 @@ class Container(IsolationProvider):
# Create a temporary directory inside the cache directory for this run. Then, # Create a temporary directory inside the cache directory for this run. Then,
# create some subdirectories for the various stages of the file conversion: # create some subdirectories for the various stages of the file conversion:
# #
# * unsafe: Where the input file will be copied
# * pixel: Where the RGB data will be stored # * pixel: Where the RGB data will be stored
# * safe: Where the final PDF file will be stored # * safe: Where the final PDF file will be stored
with tempfile.TemporaryDirectory(dir=get_tmp_dir()) as t: with tempfile.TemporaryDirectory(dir=get_tmp_dir()) as t:
tmp_dir = pathlib.Path(t) tmp_dir = pathlib.Path(t)
unsafe_dir = tmp_dir / "unsafe"
unsafe_dir.mkdir()
pixel_dir = tmp_dir / "pixels" pixel_dir = tmp_dir / "pixels"
pixel_dir.mkdir() pixel_dir.mkdir()
safe_dir = tmp_dir / "safe" safe_dir = tmp_dir / "safe"
@ -231,6 +234,7 @@ class Container(IsolationProvider):
return self._convert_with_tmpdirs( return self._convert_with_tmpdirs(
document=document, document=document,
unsafe_dir=unsafe_dir,
pixel_dir=pixel_dir, pixel_dir=pixel_dir,
safe_dir=safe_dir, safe_dir=safe_dir,
ocr_lang=ocr_lang, ocr_lang=ocr_lang,
@ -240,6 +244,7 @@ class Container(IsolationProvider):
def _convert_with_tmpdirs( def _convert_with_tmpdirs(
self, self,
document: Document, document: Document,
unsafe_dir: pathlib.Path,
pixel_dir: pathlib.Path, pixel_dir: pathlib.Path,
safe_dir: pathlib.Path, safe_dir: pathlib.Path,
ocr_lang: Optional[str], ocr_lang: Optional[str],
@ -252,6 +257,9 @@ class Container(IsolationProvider):
else: else:
ocr = "0" ocr = "0"
copied_file = unsafe_dir / "input_file"
shutil.copyfile(f"{document.input_filename}", copied_file)
# Convert document to pixels # Convert document to pixels
command = [ command = [
"/usr/bin/python3", "/usr/bin/python3",
@ -260,7 +268,7 @@ class Container(IsolationProvider):
] ]
extra_args = [ extra_args = [
"-v", "-v",
f"{document.input_filename}:/tmp/input_file:Z", f"{copied_file}:/tmp/input_file:Z",
"-v", "-v",
f"{pixel_dir}:/dangerzone:Z", f"{pixel_dir}:/dangerzone:Z",
"-e", "-e",