Description
While triaging your project, our bug fixing tool generated the following message -
In file: routes.py, there is a method that is vulnerable to path manipulation attack. By modifying file paths, an attacker can acquire sensitive information from different resources.
--- certificate_generator/app/routes.py
+++ certificate_generator/app/routes.py
@@ -48,5 +48,20 @@
if request.method == "GET":
filename = request.args.get("filename")
filepath = os.path.join("static/certificates/generated", filename)
+ '''
+ ***************** OpenRefactory Warning *****************
+ Possible Path manipulation attack!
+ Path:
+ File: routes.py, Line: 49
+ filename = request.args.get("filename")
+ Variable filename is assigned a tainted value from an external source.
+ File: routes.py, Line: 50
+ filepath = os.path.join("static/certificates/generated", filename)
+ Variable filepath is assigned a tainted value.
+ File: routes.py, Line: 51
+ return send_file(filepath, as_attachment=True, cache_timeout=0,
+ attachment_filename=filename)
+ Tainted information is used in a sink.
+ '''
return send_file(filepath, as_attachment=True, cache_timeout=0,
attachment_filename=filename)Here filename is taken from request parameters and joined with a specific directory to form a path. Then the file corresponding to that path is sent back as response. Since filename is not sanitized, it can be assinged values containing ../ to cause a path traversal attack.
For example, if current directory is /path/to/app then the following request can be sent to get the contents of /etc/passwd:
http://localhost:5000/download_certificate?filename=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
The payload is url encoded version of ../../../../../../etc/passwd.
CLA Requirements:
This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.
All contributed commits are already automatically signed off.
The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).
Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.