Update aspire deploy command to use secure project-relative directories instead of system temp #10642
Conversation
…tput path Co-authored-by: captainsafia <1857993+captainsafia@users.noreply.github.com>
aspire deploy command should be updated to use a temporary output directory as the default output path when none is provided as an argument.
…f manual GUID approach Co-authored-by: davidfowl <95136+davidfowl@users.noreply.github.com>
Co-authored-by: captainsafia <1857993+captainsafia@users.noreply.github.com>
There was a problem hiding this comment.
Pull Request Overview
Updates the aspire deploy command to use temporary directories as the default output path instead of creating a deploy subdirectory in the current working directory. This change improves isolation between deploy operations and prevents directory clutter.
- Changed default output path generation to use system temporary directories with unique naming
- Added comprehensive unit test to verify the new temporary directory behavior
- Maintains backward compatibility for users specifying custom
--output-pathvalues
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/Aspire.Cli/Commands/DeployCommand.cs | Modified GetDefaultOutputPath to generate unique temporary directories using Directory.CreateTempSubdirectory |
| tests/Aspire.Cli.Tests/Commands/DeployCommandTests.cs | Added unit test to verify temporary directory usage and validate naming patterns |
| protected override string GetOutputPathDescription() => DeployCommandStrings.OutputPathArgumentDescription; | ||
|
|
||
| protected override string GetDefaultOutputPath(ArgumentResult result) => Path.Combine(Environment.CurrentDirectory, "deploy"); | ||
| protected override string GetDefaultOutputPath(ArgumentResult result) => Directory.CreateTempSubdirectory("aspire-deploy-").FullName; |
There was a problem hiding this comment.
Feels weird that calling this twice will make a new directory. Should this be changed to CreateDefaultOutputPath?
There was a problem hiding this comment.
Good point! Renamed the method to CreateDefaultOutputPath to make it clear that it has side effects and creates a new directory each time it's called. This clarifies the semantic difference from a simple getter. Change implemented in commit fd42658.
…e effects Co-authored-by: davidfowl <95136+davidfowl@users.noreply.github.com>
|
Should this path be stable based on the source path? |
Co-authored-by: davidfowl <95136+davidfowl@users.noreply.github.com>
| var sourcePath = projectFile?.FullName ?? Environment.CurrentDirectory; | ||
|
|
||
| // Create a stable hash of the source path for the directory name | ||
| var sourceHash = sourcePath.GetHashCode().ToString("x8", CultureInfo.InvariantCulture); |
There was a problem hiding this comment.
Never use GetHashCode for persitent hashes, use SHA256
There was a problem hiding this comment.
Updated to use SHA256 instead of GetHashCode for persistent hashing. SHA256 provides deterministic, cross-platform stable hashes compared to GetHashCode which can vary between runs and platforms. Change implemented in commit e866bbb.
Co-authored-by: davidfowl <95136+davidfowl@users.noreply.github.com>
|
Should we be using /tmp? Can we assume that the user running the deployment operation is the only one that has access to the files that are produced there - can we be sure that no secrets will be dropped into that location? |
| // Get the project path to create a stable temporary directory based on the source path | ||
| var projectFile = result.GetValue<FileInfo?>("--project"); | ||
| var sourcePath = projectFile?.FullName ?? Environment.CurrentDirectory; | ||
|
|
||
| // Create a stable hash of the source path for the directory name using SHA256 | ||
| var sourceHash = SHA256.HashData(Encoding.UTF8.GetBytes(sourcePath)); | ||
| var hashString = Convert.ToHexString(sourceHash)[..8].ToLowerInvariant(); |
There was a problem hiding this comment.
Why do we need a stable temp directory? We are going to generate the assets every time deploy is ran. Putting it in a new one every time is fine.
There was a problem hiding this comment.
Using a stable path per-project sets us up to be able to diff changes across deployments. We might also end up needing to store intermediary state in this directory for later lookup.
There was a problem hiding this comment.
CreateTempSubdirectory is going to create a brand new directory each time it is called.
Using a predictable folder in /tmp is not a good security practice. See https://systemd.io/TEMPORARY_DIRECTORIES/
Note that /tmp/ and /var/tmp/ each define a common namespace shared by all local software. This means guessable file or directory names below either directory directly translate into a 🚨 Denial-of-Service (DoS) 🚨 vulnerability or worse: if some software creates a file or directory /tmp/foo then any other software that wants to create the same file or directory /tmp/foo either will fail (as the file already exists) or might be tricked into using untrusted files. Hence: do not use guessable names in /tmp/ or /var/tmp/ — if you do you open yourself up to a local DoS exploit or worse.
There was a problem hiding this comment.
You're absolutely right about the security risks of predictable folders in /tmp. The implementation has been updated to use project-relative directories under .aspire/deploy/ instead of system temp directories, which addresses the security concerns while maintaining stable paths. Added .aspire/ to .gitignore to prevent accidental commits. Change implemented in commit b821ce0.
| var sourceHash = SHA256.HashData(Encoding.UTF8.GetBytes(sourcePath)); | ||
| var hashString = Convert.ToHexString(sourceHash)[..8].ToLowerInvariant(); | ||
|
|
||
| return Directory.CreateTempSubdirectory($"aspire-deploy-{hashString}-").FullName; |
There was a problem hiding this comment.
Who cleans up this directoy when deploy is done?
There was a problem hiding this comment.
See #10642 (comment). I think for now leaving things around is helpful for debugging.
You're absolutely right about the security concern. Using system temp directories can expose sensitive deployment artifacts to other users on the system. I'll change the implementation to use project-relative directories instead, which keeps artifacts secure within the user's project directory while maintaining the stable path benefits. |
We can't gurantee that there won't be secrets in the outputs. As far as access constraints, we can probably apply some access control rules on the directory that we create. It seems like Copilot is eagerly applying your feedback (😅), but I'd like to land in a place where we aren't storying the deployment assets in the project directory, since it causes confusion/overloading with the assets emitted by publish. One thing we can consider is storing them in the |
…d of system temp Co-authored-by: captainsafia <1857993+captainsafia@users.noreply.github.com>
…t artifacts Co-authored-by: captainsafia <1857993+captainsafia@users.noreply.github.com>
Good point about preventing accidental commits to source control. Added |
Updates the
aspire deploycommand to use secure project-relative directories for deployment artifacts instead of system temporary directories, addressing security concerns while maintaining stable paths.Problem
The previous implementation used
Directory.CreateTempSubdirectory()which creates directories under the system temp path (e.g.,/tmpon Unix). This posed security risks because:/tmpcreates denial-of-service vulnerabilitiesSolution
Modified
DeployCommand.CreateDefaultOutputPath()to use project-relative directories:Before:
After:
Added
.aspire/to.gitignoreto prevent accidental commits of deployment artifacts to source control.Benefits
.aspiredirectory to avoid cluttering the project root--output-pathExample
Testing
💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.