Skip to content

security: prevent path traversal in file upload endpoint#2278

Open
anxovatomica wants to merge 1 commit into
binary-husky:masterfrom
anxovatomica:fix-path-traversal
Open

security: prevent path traversal in file upload endpoint#2278
anxovatomica wants to merge 1 commit into
binary-husky:masterfrom
anxovatomica:fix-path-traversal

Conversation

@anxovatomica

Copy link
Copy Markdown

Summary

The /upload endpoint used file.filename directly in os.path.join() without sanitizing directory traversal sequences.

Fix

Use os.path.basename() to strip path components before joining.

Impact

Remote arbitrary file write via path traversal.

PoC

curl -X POST http:\/\/target:5000\/upload -F "file=@\/dev\/null;filename=..\/..\/..\/tmp\/pwned.txt"

The /upload endpoint used file.filename directly in os.path.join() without
sanitizing directory traversal sequences. An attacker could upload a file with
filename=../../../tmp/pwned.txt to write outside the intended upload directory.

Fix: Use os.path.basename() to strip any path components from the uploaded
filename before joining with the upload directory.

Fixes potential arbitrary file write vulnerability.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant