Skip to content

Alamut alignment file link#5457

Open
molucorner wants to merge 241 commits intomainfrom
alamut-alignment-file-link
Open

Alamut alignment file link#5457
molucorner wants to merge 241 commits intomainfrom
alamut-alignment-file-link

Conversation

@molucorner
Copy link
Collaborator

This PR would close issue #1621

Well. This works, at least in my end, which is about all I can say for it

Some explanantions: Alamut takes the path given in the url and adds ".bai" to the end to find the index, and if that path doesn't lead to it, loading the file fails. So that has to be worked around.

While tokens as I understand generally are sent in a header, I don't know if there's anyway to tell Alamut to send a specific header with the request, so with the url it goes... Also, an ampersand in the path gets interpreted the end of the path, so I can't get it to take both a filename and a seperate token.

Functionally, the biggest downside is that Alamut displays the path above the alignment, so when the path is encoded, that name becomes less than helpful.

Any suggestions?

OR

Testing on cg-vm1 server (Clinical Genomics Stockholm)

Prepare for testing

  1. Make sure the PR is pushed and available on Docker Hub
  2. Fist book your testing time using the Pax software available at https://pax.scilifelab.se/. The resource you are going to call dibs on is scout-stage and the server is cg-vm1.
  3. ssh <USER.NAME>@cg-vm1.scilifelab.se
  4. sudo -iu hiseq.clinical
  5. ssh localhost
  6. (optional) Find out which scout branch is currently deployed on cg-vm1: podman ps
  7. Stop the service with current deployed branch: systemctl --user stop scout@<name_of_currently_deployed_branch>
  8. Start the scout service with the branch to test: systemctl --user start scout@<this_branch>
  9. Make sure the branch is deployed: systemctl --user status scout.target
  10. After testing is done, repeat procedure at https://pax.scilifelab.se/, which will release the allocated resource (scout-stage) to be used for testing by other users.
Testing on hasta server (Clinical Genomics Stockholm)

Prepare for testing

  1. ssh <USER.NAME>@hasta.scilifelab.se
  2. Book your testing time using the Pax software. us; paxa -u <user> -s hasta -r scout-stage. You can also use the WSGI Pax app available at https://pax.scilifelab.se/.
  3. (optional) Find out which scout branch is currently deployed on cg-vm1: conda activate S_scout; pip freeze | grep scout-browser
  4. Deploy the branch to test: bash /home/proj/production/servers/resources/hasta.scilifelab.se/update-tool-stage.sh -e S_scout -t scout -b <this_branch>
  5. Make sure the branch is deployed: us; scout --version
  6. After testing is done, repeat the paxa procedure, which will release the allocated resource (scout-stage) to be used for testing by other users.

How to test:

  1. how to test it, possibly with real cases/data

Expected outcome:
The functionality should be working
Take a screenshot and attach or copy/paste the output.

Review:

  • code approved by
  • tests executed by

return abort(403)
if index:
file_path = file_path + "." + index
resp = send_file(file_path)

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).

Copilot Autofix

AI 9 months ago

To fix the issue, we need to validate the file_path to ensure it does not allow access to unintended files. This can be achieved by:

  1. Normalizing the file_path using os.path.normpath to remove any .. segments or other potentially malicious path components.
  2. Ensuring that the normalized file_path is contained within a predefined safe directory (e.g., a root directory for allowed files).
  3. Raising an exception or returning an error response if the file_path is invalid or outside the safe directory.

The fix will involve modifying the code in the remote_static_whole function to include these validation steps before calling send_file.


Suggested changeset 1
scout/server/blueprints/alignviewers/views.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/scout/server/blueprints/alignviewers/views.py b/scout/server/blueprints/alignviewers/views.py
--- a/scout/server/blueprints/alignviewers/views.py
+++ b/scout/server/blueprints/alignviewers/views.py
@@ -6,2 +6,3 @@
 import requests
+import os
 from flask import (
@@ -111,3 +112,12 @@
         file_path = file_path + "." + index
-    resp = send_file(file_path)
+    
+    # Define a safe root directory for file access
+    safe_root = "/path/to/safe/directory"
+    
+    # Normalize the file path and ensure it is within the safe root
+    full_path = os.path.normpath(os.path.join(safe_root, file_path))
+    if not full_path.startswith(safe_root):
+        return abort(403)
+    
+    resp = send_file(full_path)
     return resp
EOF
@@ -6,2 +6,3 @@
import requests
import os
from flask import (
@@ -111,3 +112,12 @@
file_path = file_path + "." + index
resp = send_file(file_path)

# Define a safe root directory for file access
safe_root = "/path/to/safe/directory"

# Normalize the file path and ensure it is within the safe root
full_path = os.path.normpath(os.path.join(safe_root, file_path))
if not full_path.startswith(safe_root):
return abort(403)

resp = send_file(full_path)
return resp
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
return new_resp


@alignviewers_bp.route("/remote/static/whole", methods=["OPTIONS", "GET"])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi again @molucorner! Sorry for the long time with no comments; the tests were failed on this one so we were guessing it was still in progress. So far, this looks like a test with a send-whole-file without range requests for what amounts to like 10-100 Gb alignment files? That would typically not be workable. Or maybe it was intended to send the bai files only? Did you reach the conclusion alamut still does not support range requests, or am I missing something here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fair! I should have asked more clearly, but I was glad to take a break from it 😅 It actually does send a range request in the header: when I'm testing it out I use a 40 GB file, and it takes about a second or two to load (though that seems to depend specifically on the number of reads at the region you ar elooking at)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, cool! But for some reason the existing ranged endpoint didn't work? Does Alamut make slightly different requests than htslib/IGV then? Or does it do some preamble check that it can reach the files in entirety first? If you wish I can try to test a little! I'll branch off your branch then to not mess it up! 😊

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel free! I don't think there's much to mess up 😁 Alamut doesn't get past the check_session_tracks check for me, but maybe the rest is fine?

northwestwitch and others added 29 commits January 20, 2026 15:33
@sonarqubecloud
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants