Show error message dialog when failed to extract an archive file (#101)

aidy1991 · fcollonval · web-flow · commit 996071c82b3a · 2022-10-24T15:09:33.000+02:00
* Fix path traversal

* Add unit test and minor refactoring

* Update jupyter_archive/handlers.py

Co-authored-by: Frédéric Collonval &lt;fcollonval@users.noreply.github.com&gt;

* Use parametrize

* Show error message dialog when failed to extract an archive file

* Show detailed error message

* Implement write_error()

Co-authored-by: Frédéric Collonval &lt;fcollonval@users.noreply.github.com&gt;
diff --git a/jupyter_archive/handlers.py b/jupyter_archive/handlers.py
@@ -1,9 +1,12 @@
+import json
 import os
 import pathlib
 import tarfile
 import time
+import traceback
 import zipfile
 import threading
+from http.client import responses
 
 from jupyter_server.base.handlers import JupyterHandler
 from jupyter_server.utils import url2path, url_path_join
@@ -244,8 +247,9 @@ def extract_archive(self, archive_path):
             with archive_reader as archive:
                 for name in archive_reader.getnames():
                     if os.path.relpath(archive_destination / name, archive_destination).startswith(os.pardir):
-                        self.log.error(f"The archive file includes an unsafe file: {name}")
-                        raise web.HTTPError(400)
+                        error_message = f"The archive file includes an unsafe file path: {name}"
+                        self.log.error(error_message)
+                        raise web.HTTPError(400, reason=error_message)
             # Re-open stream
             archive_reader = make_reader(archive_path)
 
@@ -254,6 +258,26 @@ def extract_archive(self, archive_path):
 
         self.log.info("Finished extracting {} to {}.".format(archive_path, archive_destination))
 
+    def write_error(self, status_code, **kwargs):
+        # Return error response as JSON
+        # See https://github.com/pyenv/pyenv/blob/ff9d3ca69ef5006352cadc31e57f51aca42705a6/versions/3.8.12/lib/python3.8/site-packages/jupyter_server/base/handlers.py#L610
+        self.set_header("Content-Type", "application/json")
+        message = responses.get(status_code, "Unknown HTTP Error")
+        reply = {
+            "message": message,
+        }
+        exc_info = kwargs.get("exc_info")
+        if exc_info:
+            e = exc_info[1]
+            if isinstance(e, web.HTTPError):
+                reply["message"] = e.log_message or message
+                reply["reason"] = e.reason
+            else:
+                reply["message"] = "Unhandled error"
+                reply["reason"] = None
+                reply["traceback"] = "".join(traceback.format_exception(*exc_info))
+        self.finish(json.dumps(reply))
+
 
 def setup_handlers(web_app):
     host_pattern = ".*$"
diff --git a/src/index.ts b/src/index.ts
@@ -107,7 +107,10 @@ function extractArchiveRequest(path: string): Promise<void> {
 
   return ServerConnection.makeRequest(url, request, settings).then(response => {
     if (response.status !== 200) {
-      throw new ServerConnection.ResponseError(response);
+      response.json().then(data => {
+        showErrorMessage('Fail to extract the archive file', data.reason);
+        throw new ServerConnection.ResponseError(response);
+      });
     }
   });
 }

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,10 @@ function extractArchiveRequest(path: string): Promise<void> {`
`107`	`107`
`108`	`108`	`return ServerConnection.makeRequest(url, request, settings).then(response => {`
`109`	`109`	`if (response.status !== 200) {`
`110`		`- throw new ServerConnection.ResponseError(response);`
	`110`	`+ response.json().then(data => {`
	`111`	`+ showErrorMessage('Fail to extract the archive file', data.reason);`
	`112`	`+ throw new ServerConnection.ResponseError(response);`
	`113`	`+ });`
`111`	`114`	`}`
`112`	`115`	`});`
`113`	`116`	`}`