|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Reporting a Vulnerability |
| 4 | + |
| 5 | +If there are any vulnerabilities in `titiler`, don't hesitate to _report them_. |
| 6 | + |
| 7 | +1. Use Github's security reporting tools. |
| 8 | + |
| 9 | +see https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability |
| 10 | + |
| 11 | +2. Describe the vulnerability. |
| 12 | + |
| 13 | + If you have a fix, that is most welcome -- please attach or summarize it in your message! |
| 14 | + |
| 15 | +3. We will evaluate the vulnerability and, if necessary, release a fix or mitigating steps to address it. We will contact you to let you know the outcome, and will credit you in the report. |
| 16 | + |
| 17 | + Please **do not disclose the vulnerability publicly** until a fix is released! |
| 18 | + |
| 19 | +4. Once we have either a) published a fix, or b) declined to address the vulnerability for whatever reason, you are free to publicly disclose it. |
| 20 | + |
| 21 | + |
| 22 | +## GDAL |
| 23 | + |
| 24 | +`TiTiler` is built on top of Rasterio which is a python wrapper for the [GDAL](https://gdal.org/en/stable/) C++ library. At the time of writing, GDAL is responsible for most of the I/O and thus is where vulnerabilities could be harmful. For any `I/O` issues please first check [GDAL documentation](https://gdal.org/en/stable/user/security.html#security-considerations). |
| 25 | + |
| 26 | +#### GDAL VRT Driver |
| 27 | + |
| 28 | +There is a known security vulnerability with the VRT Driver: |
| 29 | + |
| 30 | +> It can be used to access any valid GDAL dataset. If a hostile party, with knowledge of the location on the filesystem of a valid GDAL dataset, convinces a user to run gdal_translate a VRT file and give it back the result, it might be able to steal data. That could potentially be able for a web service accepting data from the user, converting it, and sending back the result. |
| 31 | +
|
| 32 | +see https://gdal.org/en/stable/user/security.html#gdal-vrt-driver |
| 33 | + |
| 34 | +Thus we recommend deploying titiler in infrastructure with limited access to the filesystem. Users can also `disable` the VRT driver completely by using `GDAL_SKIP=VRT` environment variable. |
| 35 | + |
| 36 | +In GDAL 3.12, new environment variables might be introduced to enable more control over the VRT driver: https://github.com/OSGeo/gdal/pull/12669 |
| 37 | + |
| 38 | +#### Limit source's host |
| 39 | + |
| 40 | +If users want to limit the sources that the application can access, they can also create custom `path_dependency` such as this one which limits valid sources to a list of known hosts: |
| 41 | + |
| 42 | +```python |
| 43 | +from urllib.parse import urlparse |
| 44 | + |
| 45 | +from typing import Annotated |
| 46 | +from titiler.core.factory import TilerFactory |
| 47 | +from titiler.core.errors import DEFAULT_STATUS_CODES, add_exception_handlers |
| 48 | + |
| 49 | +from fastapi import FastAPI, Query, HTTPException |
| 50 | + |
| 51 | +# List of known host where dataset can be read from |
| 52 | +known_host = [ |
| 53 | + "devseed.org", |
| 54 | +] |
| 55 | + |
| 56 | +def DatasetPathParams(url: Annotated[str, Query(description="Dataset URL")]) -> str: |
| 57 | + """Create dataset path from args""" |
| 58 | + # validate Dataset host |
| 59 | + parsed = urlparse(url) |
| 60 | + if parsed.netloc not in known_host: |
| 61 | + raise HTTPException( |
| 62 | + status_code=400, |
| 63 | + detail="Nope, this is not a valid File - Please Try Again", |
| 64 | + ) |
| 65 | + |
| 66 | + return url |
| 67 | + |
| 68 | + |
| 69 | +app = FastAPI(title="My simple app") |
| 70 | +app.include_router(TilerFactory(path_dependency=DatasetPathParams).router) |
| 71 | + |
| 72 | +add_exception_handlers(app, DEFAULT_STATUS_CODES) |
| 73 | +``` |
0 commit comments