Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability Found #129

Closed
porcupineyhairs opened this issue Apr 29, 2022 · 1 comment
Closed

Security Vulnerability Found #129

porcupineyhairs opened this issue Apr 29, 2022 · 1 comment

Comments

@porcupineyhairs
Copy link

Absolute Path Traversal due to incorrect use of send_file call

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

Root Cause Analysis

The os.path.join call is unsafe for use with untrusted input. When the os.path.join call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Please see the example below.

>>> import os.path
>>> static = "path/to/mySafeStaticDir"
>>> malicious = "/../../../../../etc/passwd"
>>> os.path.join(t,malicious)
'/../../../../../etc/passwd'

Since the "malicious" parameter represents an absolute path, the result of os.path.join ignores the static directory completely. Hence, untrusted input is passed via the os.path.join call to flask.send_file can lead to path traversal attacks.

In this case, the problems occurs due to the following code :
https://github.com/HolgerGraef/MSM/blob/6dd2c9557e0285e1270c84375ebd6f8d10e422a4/app/main/views.py#L544

Here, the path parameter is attacker controlled. This parameter passes through the unsafe os.path.join call making the effective directory and filename passed to the send_file call attacker controlled. This leads to a path traversal attack.

Proof of Concept

The bug can be verified using a proof of concept similar to the one shown below.

curl --path-as-is 'http://<domain>/plugins//../../../../etc/passwd"'

Remediation

This can be fixed by preventing flow of untrusted data to the vulnerable send_file function. In case the application logic necessiates this behaviour, one can either use the flask.safe_join to join untrusted paths or replace flask.send_file calls with flask.send_from_directory calls.

References

This bug was found using CodeQL by Github
This was referenced Apr 29, 2022
Closed
Closed
hgrf added a commit that referenced this issue Mar 10, 2023
@hgrf
add test for issue #129
a15ae87
hgrf added a commit that referenced this issue Mar 11, 2023
@hgrf
add test for issue #129
25a6f6c
@hgrf hgrf mentioned this issue Mar 11, 2023
Merged
hgrf added a commit that referenced this issue Mar 11, 2023
@hgrf
fix path traversal vulnerability (#156)
bd06f78 
* add test for issue #129
* A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

The `os.path.join` call is unsafe for use with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path.  Please see the example below.
```
>>> import os.path
>>> static = "path/to/mySafeStaticDir"
>>> malicious = "/../../../../../etc/passwd"
>>> os.path.join(t,malicious)
'/../../../../../etc/passwd'
```
Since the "malicious" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks.

In this case, the problems occurs due to the following code :
https://github.com/HolgerGraef/MSM/blob/6dd2c9557e0285e1270c84375ebd6f8d10e422a4/app/main/views.py#L544

Here, the `path` parameter is attacker controlled. This parameter passes through the unsafe `os.path.join` call making the effective directory and filename passed to the `send_file` call attacker controlled. This leads to a path traversal attack.

The bug can be verified using a proof of concept similar to the one shown below.

```
curl --path-as-is 'http://<domain>/plugins//../../../../etc/passwd"'
```

This can be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.

* [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
* github/securitylab#669

* coding style: black
* backport to old werkzeug version
* cleanup

---------

Co-authored-by: Porcupiney Hairs <[email protected]>
@hgrf
Copy link
Owner

hgrf commented Mar 11, 2023

fixed by #156

@hgrf hgrf closed this as completed Mar 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Path Traversal Vulnerability
2 participants
@hgrf @porcupineyhairs