Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Path Traversal Vulnerability #11

Closed
wants to merge 1 commit into from
+2 −2
Closed

Fix Path Traversal Vulnerability #11

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
# Absolute Path Traversal due to incorrect use of send_file call 
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

## Root Cause Analysis

Passing untrusted input to `flask.send_file`can lead to path traversal attacks.

In this case, the problems occurs due to the following code :
https://github.com/piaoyunsoft/bt_lnmp/blob/fa49519b04586a00e76c105e7ce1da36eadf6922/www/server/panel/BTPanel/__init__.py#L858

Here, the `filename` parameter is attacker controlled and is used as the filename passed to the `send_file` call. This leads to a path traversal attack.

## Remediation

This can be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.

## References
* [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
* github/securitylab#669

### This bug was found using *[CodeQL by Github](https://codeql.github.com/)*
Porcupiney Hairs committed Apr 28, 2022

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
commit 45a0dbc023fa2d856c895883d6fa6b4f4426c956
4 changes: 2 additions & 2 deletions webflaskapi/flaskapi/core/app_setup.py
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import os

from flask import current_app, make_response, request
from flask import send_file, render_template
from flask import send_file, render_template, safe_join

from flaskapi.core.worker import celery
import celery.states as states
@@ -55,7 +55,7 @@ def check_task(task_id: str) -> str:
def route_frontend(path):
# ...could be a static file needed by the front end that
# doesn't use the `static` path (like in `<script src="bundle.js">`)
file_path = os.path.join(current_app.template_folder, path)
file_path = safe_join(current_app.template_folder, path)
if os.path.isfile(file_path):
return send_file(file_path)
# ...or should be handled by the SPA's "router" in front end