Two Path Traversal Vulnerabilities

[tch1bo]

Hello,

I noticed 2 Path Traversal vulnerabilities in apps/embed/views.py:

The first one allows to overwrite any file with .zip extension on the server. The vulnerability is located in line:

dataviva-site/dataviva/apps/embed/views.py

Line 423 in 5bb4dac

basedir, "dataviva/static/downloads/" + filenameDownload + ".zip"), mode='w')

and can be triggered by executing a request with title set to ../../../../../../some/file/path.

The second allows to delete any file with extensions .png, .svg., .pdf, .csv, .url2csv and is located in lines:

dataviva-site/dataviva/apps/embed/views.py

Line 419 in 5bb4dac

with open(os.path.join(basedir, "dataviva/static/downloads/" + title_safe + "." + format), "wb") as fo:

and

dataviva-site/dataviva/apps/embed/views.py

Line 430 in 5bb4dac

os.remove(os.path.join(basedir, "dataviva/static/downloads/" + title_safe + "." + format))

These two vulnerabilities can lead to some nasty security consequences and are fairly easy to fix, so i would advise you to patch them. The most trivial fix would be to use werkzeug.secure_filename() function to sanitize the input, but maybe a more detailed code review is needed. For example, the download_file response object from line

dataviva-site/dataviva/apps/embed/views.py

Line 415 in 5bb4dac

download_file = make_response(Response(response_data,

is not used, which is probably not the intended behavior.

Please note that i am not a regular contributor to your project. I found the bugs while testing DeepCode’s AI Code Review. The tool can help you automate the process of finding such (and many other types of) bugs. You can sign-up your repo (free for Open Source) to receive notifications whenever new bugs are detected. You can give it a try here.

Any feedback is more than welcome at chibo@deepcode.ai.

Cheers, Victor.