is_file_hidden_posix() has problem with symlinks where target is not accessible

[rcthomas]

It seems that in is_file_hidden_posix() an exception is raised if it comes across a symlink where the target path is not accesssible to the user (PermissionError). This has the effect of stopping the file contents manager from displaying the contents of a directory containing such links in JupyterLab 3.

Right now if os.stat() raises errno.ENOENT then the function returns False. I find that if I allow the function to similarly return False if os.stat() raises errno.EACCES, then the file listing works.

Is this an actual bug (and fix) and if so maybe does it need to be applied in the non-posix function as well?

[kevin-bates]

Hi @rcthomas. I think the intention relative to EACCES is that files in which the active user is denied access should not show up in any listing, irrespective of the allow_hidden trait, as that can be considered a security issue. As a result, I'm inclined to say the calling application should handle raised exceptions (and be responsible for not hinting that a file may be protected).

I suppose one could view denied files as "hidden", but given the trait's existence, I think that would still be considered a security issue. (I also think the directory listing logic in server could use some refactoring since it could still expose these kinds of files in listings and/or warning messages - as well as the fact that EACCES terminates the listing.)

[rcthomas]

Thanks for explaining, I suppose then this more appropriate to discuss at jupyter_server then?

[kevin-bates]

Yes, I believe so.