Potential Path Manipulation in file certificate_generator/app/routes.py

[ZuhairORZaki]

While triaging your project, our bug fixing tool generated the following message -

In file: routes.py, there is a method that is vulnerable to path manipulation attack. By modifying file paths, an attacker can acquire sensitive information from different resources.

--- certificate_generator/app/routes.py

+++ certificate_generator/app/routes.py

@@ -48,5 +48,20 @@

     if request.method == "GET":

         filename = request.args.get("filename")

         filepath = os.path.join("static/certificates/generated", filename)

+        '''

+        ***************** OpenRefactory Warning *****************

+        Possible Path manipulation attack!

+        Path:

+        	File: routes.py, Line: 49

+        		filename = request.args.get("filename")

+        		Variable filename is assigned a tainted value from an external source.

+        	File: routes.py, Line: 50

+        		filepath = os.path.join("static/certificates/generated", filename)

+        		Variable filepath is assigned a tainted value.

+        	File: routes.py, Line: 51

+        		return send_file(filepath, as_attachment=True, cache_timeout=0,

+        		                         attachment_filename=filename)

+        		Tainted information is used in a sink.

+        '''

         return send_file(filepath, as_attachment=True, cache_timeout=0,

                          attachment_filename=filename)

Here filename is taken from request parameters and joined with a specific directory to form a path. Then the file corresponding to that path is sent back as response. Since filename is not sanitized, it can be assinged values containing ../ to cause a path traversal attack.

For example, if current directory is /path/to/app then the following request can be sent to get the contents of /etc/passwd:

http://localhost:5000/download_certificate?filename=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

The payload is url encoded version of ../../../../../../etc/passwd.

CLA Requirements:

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

All contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

• Git Commit SignOff documentation

Sponsorship and Support:

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.

The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.

[seowwj]

Hi, can I work on this issue?

[ZuhairORZaki]

Hi @seowwj
Sure. Please feel free to do so if you're so inclined.