Azure-sdk-for-python: ContainerClient operates on the wrong blob if blob name type has a "name" attribute

Created on 17 Apr 2020  路  3Comments  路  Source: Azure/azure-sdk-for-python
  • Package Name: azure-storage-blob
  • Package Version: 12.3.0
  • Operating System: MacOS X, Ubuntu 18.04
  • Python Version: 3.8.0

Describe the bug
_get_blob_name in ContainerClient changes the name of the blob argument, resulting in further actions operating on the wrong blob.

This function expects either str or BlobProperties, but given any argument with a name attribute, it will use the value of argument.name rather than argument itself. This causes issues, for example, for users of the "path" library (formerly "path.py"). path.Path inherits from str and so is a valid argument for blob, but its name attribute returns a file basename, so effectively a blob key like "foo/bar/baz.txt" is truncated to "baz.txt".

To Reproduce
Steps to reproduce the behavior:

  1. Identify a blob in an accessible container that is not at root level, i.e. its key contains '/' separators.
  2. pip install path
  3. Execute the following:
from azure.storage.blob import BlobServiceClient
from path import Path
connection_string = <YOUR CONNECTION STRING>
container_name = <YOUR CONTAINER NAME>
blob_service = BlobServiceClient.from_connection_string(connection_string)
container_client = blob_service.get_container_client(container_name)

# Error case
container_client.get_blob_client(Path('YOUR/BLOB/KEY.txt')).url
#  Expected: https://ACCOUNT.blob.core.windows.net/CONTAINER/YOUR%2FBLOB%2FKEY.txt
#  Actual:   https://ACCOUNT.blob.core.windows.net/CONTAINER/KEY.txt

Expected behavior
As explained above, the full key name should be preserved even when using subclasses of str, like Path. I propose the following implementation for _get_blob_name:

def _get_blob_name(blob):
    """Return the blob name.

    :param blob: A blob string or BlobProperties
    :rtype: str
    """
    if isinstance(blob, BlobProperties):
        return blob.name
    return blob

Additional context
The "path" library is a widely used object-oriented wrapper over os.path functions, predating the pathlib builtin module.

This bug could have catastrophic consequences: ContainerClient.delete_blob appears to be impacted, meaning that a caller could inadvertently delete the wrong blob.

Client Service Attention Storage bug customer-reported
Source
picture riazjahangir
👍1

Most helpful comment

Hi @riazjahangir
This problem is fixed in the most recent release, thanks for reporting this

picture xiafu-msft on 16 Jun 2020
👍2 🎉1

All 3 comments

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

msftbot[bot] picture msftbot[bot] on 17 Apr 2020

Hi @riazjahangir
Thanks for your suggestion, I think it's pretty reasonable. We will use your recommended way in the future!

xiafu-msft picture xiafu-msft on 28 Apr 2020

Hi @riazjahangir
This problem is fixed in the most recent release, thanks for reporting this

xiafu-msft picture xiafu-msft on 16 Jun 2020
👍2 🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Koppens picture Koppens  路  4Comments
AmudhaPalani picture AmudhaPalani  路  4Comments
logachev picture logachev  路  3Comments
yunhaoling picture yunhaoling  路  3Comments
jmlero picture jmlero  路  3Comments