Security Policy¶
Reporting a Vulnerability¶
If there are any vulnerabilities in titiler
, don't hesitate to report them.
- Use Github's security reporting tools.
- Describe the vulnerability.
If you have a fix, that is most welcome -- please attach or summarize it in your message!
- We will evaluate the vulnerability and, if necessary, release a fix or mitigating steps to address it. We will contact you to let you know the outcome, and will credit you in the report.
Please do not disclose the vulnerability publicly until a fix is released!
- Once we have either a) published a fix, or b) declined to address the vulnerability for whatever reason, you are free to publicly disclose it.
GDAL¶
TiTiler
is built on top of Rasterio which is a python wrapper for the GDAL C++ library. At the time of writing, GDAL is responsible for most of the I/O and thus is where vulnerabilities could be harmful. For any I/O
issues please first check GDAL documentation.
GDAL VRT Driver¶
There is a known security vulnerability with the VRT Driver:
It can be used to access any valid GDAL dataset. If a hostile party, with knowledge of the location on the filesystem of a valid GDAL dataset, convinces a user to run gdal_translate a VRT file and give it back the result, it might be able to steal data. That could potentially be able for a web service accepting data from the user, converting it, and sending back the result.
see gdal.org/en/stable/user/security.html#gdal-vrt-driver
Thus we recommend deploying titiler in infrastructure with limited access to the filesystem. Users can also disable
the VRT driver completely by using GDAL_SKIP=VRT
environment variable.
In GDAL 3.12, new environment variables might be introduced to enable more control over the VRT driver: OSGeo/gdal!12669
Limit source's host¶
If users want to limit the sources that the application can access, they can also create custom path_dependency
such as this one which limits valid sources to a list of known hosts:
from urllib.parse import urlparse
from typing import Annotated
from titiler.core.factory import TilerFactory
from titiler.core.errors import DEFAULT_STATUS_CODES, add_exception_handlers
from fastapi import FastAPI, Query, HTTPException
# List of known host where dataset can be read from
known_host = [
"devseed.org",
]
def DatasetPathParams(url: Annotated[str, Query(description="Dataset URL")]) -> str:
"""Create dataset path from args"""
# validate Dataset host
parsed = urlparse(url)
if parsed.netloc not in known_host:
raise HTTPException(
status_code=400,
detail="Nope, this is not a valid File - Please Try Again",
)
return url
app = FastAPI(title="My simple app")
app.include_router(TilerFactory(path_dependency=DatasetPathParams).router)
add_exception_handlers(app, DEFAULT_STATUS_CODES)