better path stuff

Author: Archmonger

src/py/reactpy/reactpy/backend/_common.py

@@ -71,18 +71,17 @@ async def _check_if_started(server: uvicorn.Server, started: asyncio.Event) -> N
 
 def safe_client_build_dir_path(path: str) -> Path:
     """Prevent path traversal out of :data:`CLIENT_BUILD_DIR`"""
-    return traversal_safe_path(
-        CLIENT_BUILD_DIR,
-        *("index.html" if path in ("", "/") else path).split("/"),
+    return safe_join_path(
+        CLIENT_BUILD_DIR, *("index.html" if path in {"", "/"} else path).split("/")
     )
 
 
 def safe_web_modules_dir_path(path: str) -> Path:
     """Prevent path traversal out of :data:`reactpy.config.REACTPY_WEB_MODULES_DIR`"""
-    return traversal_safe_path(REACTPY_WEB_MODULES_DIR.current, *path.split("/"))
+    return safe_join_path(REACTPY_WEB_MODULES_DIR.current, *path.split("/"))
 
 
-def traversal_safe_path(root: str | Path, *unsafe: str | Path) -> Path:
+def safe_join_path(root: str | Path, *unsafe: str | Path) -> Path:
     """Raise a ``ValueError`` if the ``unsafe`` path resolves outside the root dir."""
     root = os.path.abspath(root)
 
@@ -92,8 +91,9 @@ def traversal_safe_path(root: str | Path, *unsafe: str | Path) -> Path:
 
     if os.path.commonprefix([root, path]) != root:
         # If the common prefix is not root directory we resolved outside the root dir
-        msg = "Unsafe path"
-        raise ValueError(msg)
+        raise ValueError(
+            f"Unsafe path detected. Path '{path}' is outside root directory '{root}'"
+        )
 
     return Path(path)
 

src/py/reactpy/reactpy/backend/asgi.py

@@ -4,17 +4,16 @@
 import os
 import re
 import urllib.parse
-from collections.abc import Sequence
+from collections.abc import Coroutine, Sequence
 from pathlib import Path
-from typing import Coroutine
 
 import aiofiles
 import orjson
 from asgiref.compatibility import guarantee_single_callable
 
 from reactpy.backend._common import (
     CLIENT_BUILD_DIR,
-    traversal_safe_path,
+    safe_join_path,
     vdom_head_elements_to_html,
 )
 from reactpy.backend.hooks import ConnectionContext
@@ -25,7 +24,6 @@
 from reactpy.core.serve import serve_layout
 from reactpy.core.types import ComponentConstructor, VdomDict
 
-DEFAULT_STATIC_PATH = f"{os.getcwd()}/static"
 DEFAULT_BLOCK_SIZE = 8192
 _logger = logging.getLogger(__name__)
 
@@ -38,7 +36,7 @@ def __init__(
         dispatcher_path: str = "^reactpy/([^/]+)/?",
         js_modules_path: str | None = "^reactpy/modules/([^/]+)/?",
         static_path: str | None = "^reactpy/static/([^/]+)/?",
-        static_dir: str | None = DEFAULT_STATIC_PATH,
+        static_dir: Path | str | None = None,
         head: Sequence[VdomDict] | VdomDict | str = "",
     ) -> None:
         self.component = (
@@ -56,8 +54,8 @@ def __init__(
                 "The first argument to `ReactPy` must be a component or an ASGI application."
             )
         self.dispatch_path = re.compile(dispatcher_path)
-        self.js_modules_path = re.compile(js_modules_path)
-        self.static_path = re.compile(static_path)
+        self.js_modules_path = re.compile(js_modules_path) if js_modules_path else None
+        self.static_path = re.compile(static_path) if static_path else None
         self.static_dir = static_dir
         self.all_paths = re.compile(
             "|".join(
@@ -88,14 +86,20 @@ async def __call__(self, scope, receive, send) -> None:
                 return
 
             # Route requests to our JS web module app
-            if scope["type"] == "http" and re.match(
-                self.js_modules_path, scope["path"]
+            if (
+                scope["type"] == "http"
+                and self.js_modules_path
+                and re.match(self.js_modules_path, scope["path"])
             ):
                 await self.js_modules_app(scope, receive, send)
                 return
 
             # Route requests to our static file server app
-            if scope["type"] == "http" and re.match(self.static_path, scope["path"]):
+            if (
+                scope["type"] == "http"
+                and self.static_path
+                and re.match(self.static_path, scope["path"])
+            ):
                 await self.static_file_app(scope, receive, send)
                 return
 
@@ -159,45 +163,42 @@ async def js_modules_app(self, scope, receive, send) -> None:
         """The ASGI application for ReactPy web modules."""
 
         if not REACTPY_WEB_MODULES_DIR.current:
-            raise RuntimeError("No web modules directory configured")
-
-        # Get the relative file path from the URL
-        file_url_path = re.match(self.js_modules_path, scope["path"])[1]
+            raise RuntimeError("No web modules directory configured.")
 
         # Make sure the user hasn't tried to escape the web modules directory
         try:
-            file_path = traversal_safe_path(
+            abs_file_path = safe_join_path(
                 REACTPY_WEB_MODULES_DIR.current,
                 REACTPY_WEB_MODULES_DIR.current,
-                file_url_path,
+                re.match(self.js_modules_path, scope["path"])[1],
             )
         except ValueError:
             await simple_response(send, 403, "Forbidden")
             return
 
         # Serve the file
-        await file_response(scope, send, file_path)
+        await file_response(scope, send, abs_file_path)
 
     async def static_file_app(self, scope, receive, send) -> None:
         """The ASGI application for ReactPy static files."""
 
-        if self.static_dir is None:
-            raise RuntimeError("No static directory configured")
-
-        # Get the relative file path from the URL
-        file_url_path = re.match(self.static_path, scope["path"])[1]
+        if not self.static_dir:
+            raise RuntimeError(
+                "Static files cannot be served without defining `static_dir`."
+            )
 
         # Make sure the user hasn't tried to escape the static directory
         try:
-            file_path = traversal_safe_path(
-                self.static_dir, self.static_dir, file_url_path
+            abs_file_path = safe_join_path(
+                self.static_dir,
+                re.match(self.static_path, scope["path"])[1],
             )
         except ValueError:
             await simple_response(send, 403, "Forbidden")
             return
 
         # Serve the file
-        await file_response(scope, send, file_path)
+        await file_response(scope, send, abs_file_path)
 
     async def index_html_app(self, scope, receive, send) -> None:
         """The ASGI application for ReactPy index.html."""
@@ -289,7 +290,9 @@ async def file_response(scope, send, file_path: Path) -> None:
     )
     if mime_type is None:
         mime_type = "text/plain"
-        _logger.error(f"Could not determine MIME type for {file_path}.")
+        _logger.error(
+            f"Could not determine MIME type for {file_path}. Defaulting to 'text/plain'."
+        )
 
     # Send the file in chunks
     async with aiofiles.open(file_path, "rb") as file_handle:
@@ -299,7 +302,12 @@ async def file_response(scope, send, file_path: Path) -> None:
                 "status": 200,
                 "headers": [
                     (b"content-type", mime_type.encode()),
-                    (b"last-modified", str(os.path.getmtime(file_path)).encode()),
+                    (
+                        b"last-modified",
+                        str(
+                            await asyncio.to_thread(os.path.getmtime, file_path)
+                        ).encode(),
+                    ),
                 ],
             }
         )

src/py/reactpy/tests/test_backend/test__common.py

@@ -3,7 +3,7 @@
 from reactpy import html
 from reactpy.backend._common import (
     CommonOptions,
-    traversal_safe_path,
+    safe_join_path,
     vdom_head_elements_to_html,
 )
 
@@ -25,8 +25,8 @@ def test_common_options_url_prefix_starts_with_slash():
     ],
 )
 def test_catch_unsafe_relative_path_traversal(tmp_path, bad_path):
-    with pytest.raises(ValueError, match="Unsafe path"):
-        traversal_safe_path(tmp_path, *bad_path.split("/"))
+    with pytest.raises(ValueError):
+        safe_join_path(tmp_path, *bad_path.split("/"))
 
 
 @pytest.mark.parametrize(