[Django] #36257: Path Traversal Uncontrolled data used in path expression

[Django]

#36257: Path Traversal Uncontrolled data used in path expression
-----------------------------------------+--------------------------
Reporter: odaysec | Owner: odaysec
Type: Uncategorized | Status: assigned
Component: Packaging | Version: 5.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+--------------------------
https://github.com/django/django/blob/ef6a83789b310a441237a190a493c9586a4cb260/django/views/static.py#L60-L60

Accessing files using paths constructed from user-controlled data can
allow an attacker to access unexpected resources. This can result in
sensitive information being revealed or deleted, or an attacker being able
to influence behavior by modifying unexpected files.

**## POC**
In the first vulnerable, a file name is read from an HTTP request and then
used to access a file. However, a malicious user could enter a file name
that is an absolute path, such as `"/etc/passwd"`.

In the second example, it appears that the user is restricted to opening a
file within the `"user"` home directory. However, a malicious user could
enter a file name containing special characters. the string
`"../../../etc/passwd"` will result in the code reading the file located
at `"/server/static/images/../../../etc/passwd"`, which is the system's
password file. This file would then be sent back to the user, giving them
access to all the system's passwords. Note that a user could also use an
absolute path here, since the result of
`os.path.join("/server/static/images/", "/etc/passwd")` is
`"/etc/passwd"`.

the path used to access the file system is normalized before being checked
against a known prefix. This ensures that regardless of the user input,
the resulting path is safe.

```js
{{{
import os.path
from flask import Flask, request, abort

app = Flask(__name__)

@app.route("/user_picture1")
def user_picture1():
filename = request.args.get('p')
# BAD: This could read any file on the file system
data = open(filename, 'rb').read()
return data

@app.route("/user_picture2")
def user_picture2():
base_path = '/server/static/images'
filename = request.args.get('p')
# BAD: This could still read any file on the file system
data = open(os.path.join(base_path, filename), 'rb').read()
return data

@app.route("/user_picture3")
def user_picture3():
base_path = '/server/static/images'
filename = request.args.get('p')
#GOOD -- Verify with normalised version of path
fullpath = os.path.normpath(os.path.join(base_path, filename))
if not fullpath.startswith(base_path):
raise Exception("not allowed")
data = open(fullpath, 'rb').read()
return data
}}}
```

**## References**
- https://owasp.org/www-community/attacks/Path_Traversal
- http://werkzeug.pocoo.org/docs/utils/#werkzeug.utils.secure_filename
- CWE-22
- CWE-23
- CWE-36
- CWE-73
- CWE-99
--
Ticket URL: <https://code.djangoproject.com/ticket/36257>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#36257: Path Traversal Uncontrolled data used in path expression

-------------------------------+----------------------------------------
Reporter: Zeroday BYTE | Owner: Zeroday BYTE

Type: Uncategorized | Status: assigned
Component: Packaging | Version: 5.1

Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------+----------------------------------------
Comment (by Natalia Bidart):

Hello, I'm deleting this ticket because it's potentially a security issue.
Security issues should be reported privately via email to
secu...@djangoproject.com.
--
Ticket URL: <https://code.djangoproject.com/ticket/36257#comment:1>