Description:
The /upload_file endpoint is vulnerable to a Path Traversal attack due to improper handling of user-supplied filenames. The application directly uses the file.filename attribute from the incoming UploadFile object to construct the file path without sanitization or validation, allowing a malicious actor to overwrite arbitrary files on the host system.
Vulnerable Code Location:
File: main.py
Method: upload_file(file: UploadFile)
file_name = file.filename
work_directory = CONFIG['filesystem']['work_directory']
Vulnerable concatenation using os.path.join
with open(os.path.join(work_directory, file_name), 'wb') as f:
f.write(upload_file)
Attack Vector:
By crafting a request with a filename containing path traversal sequences (e.g., ../../../../app/main.py), an attacker can escape the designated work_directory and overwrite sensitive files within the application's environment or the underlying host system.
Impact:
Arbitrary File Overwrite: Attackers can modify critical application scripts, configurations, or system files.
Remote Code Execution (RCE): If the application runs with elevated privileges (e.g., root), overwriting executable scripts or configuration files can lead to a full system compromise.
Proposed Remediation:
-
Sanitize Filenames: Use os.path.basename() to strip any directory components from the user-supplied filename.
-
Validate Path: Resolve the absolute path of the destination and verify that it strictly starts with the intended work_directory path.
-
Whitelist/Randomize: Consider ignoring the user-supplied filename entirely and saving the file using a generated UUID or a strictly validated whitelist of allowed characters.
Description:
The /upload_file endpoint is vulnerable to a Path Traversal attack due to improper handling of user-supplied filenames. The application directly uses the file.filename attribute from the incoming UploadFile object to construct the file path without sanitization or validation, allowing a malicious actor to overwrite arbitrary files on the host system.
Vulnerable Code Location:
File: main.py
Method: upload_file(file: UploadFile)
file_name = file.filename
work_directory = CONFIG['filesystem']['work_directory']
Vulnerable concatenation using os.path.join
with open(os.path.join(work_directory, file_name), 'wb') as f:
f.write(upload_file)
Attack Vector:
By crafting a request with a filename containing path traversal sequences (e.g., ../../../../app/main.py), an attacker can escape the designated work_directory and overwrite sensitive files within the application's environment or the underlying host system.
Impact:
Arbitrary File Overwrite: Attackers can modify critical application scripts, configurations, or system files.
Remote Code Execution (RCE): If the application runs with elevated privileges (e.g., root), overwriting executable scripts or configuration files can lead to a full system compromise.
Proposed Remediation:
Sanitize Filenames: Use os.path.basename() to strip any directory components from the user-supplied filename.
Validate Path: Resolve the absolute path of the destination and verify that it strictly starts with the intended work_directory path.
Whitelist/Randomize: Consider ignoring the user-supplied filename entirely and saving the file using a generated UUID or a strictly validated whitelist of allowed characters.