Skip to content

[Security Vulnerability] Path Traversal in /upload_file endpoint allowing arbitrary file overwrite #430

Description

@QiuYucheng2003

Description:
The /upload_file endpoint is vulnerable to a Path Traversal attack due to improper handling of user-supplied filenames. The application directly uses the file.filename attribute from the incoming UploadFile object to construct the file path without sanitization or validation, allowing a malicious actor to overwrite arbitrary files on the host system.

Vulnerable Code Location:
File: main.py
Method: upload_file(file: UploadFile)
file_name = file.filename
work_directory = CONFIG['filesystem']['work_directory']

Vulnerable concatenation using os.path.join

with open(os.path.join(work_directory, file_name), 'wb') as f:
f.write(upload_file)

Attack Vector:
By crafting a request with a filename containing path traversal sequences (e.g., ../../../../app/main.py), an attacker can escape the designated work_directory and overwrite sensitive files within the application's environment or the underlying host system.

Impact:

Arbitrary File Overwrite: Attackers can modify critical application scripts, configurations, or system files.

Remote Code Execution (RCE): If the application runs with elevated privileges (e.g., root), overwriting executable scripts or configuration files can lead to a full system compromise.

Proposed Remediation:

  1. Sanitize Filenames: Use os.path.basename() to strip any directory components from the user-supplied filename.

  2. Validate Path: Resolve the absolute path of the destination and verify that it strictly starts with the intended work_directory path.

  3. Whitelist/Randomize: Consider ignoring the user-supplied filename entirely and saving the file using a generated UUID or a strictly validated whitelist of allowed characters.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions