https://bugzilla.suse.com/show_bug.cgi?id=1224344 Bug ID: 1224344 Summary: VUL-0: CVE-2024-4982: pagure: Path traversal in view_issue_raw_file() Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/405937/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: ngompa13@gmail.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: gianluca.gabrielli@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Description of problem: In issues.py, view_issue_raw_file() services issues attachments from pagure_config["ATTACHMENTS_FOLDER"]. The requested filename comes directly from the URL and is concatenated with the attachments folder and the repository name. @UI_NS.route("/<repo>/issue/raw/<path:filename>") @UI_NS.route("/<namespace>/<repo>/issue/raw/<path:filename>") @UI_NS.route("/fork/<username>/<repo>/issue/raw/<path:filename>") @UI_NS.route("/fork/<username>/<namespace>/<repo>/issue/raw/<path:filename>") @has_issue_tracker def view_issue_raw_file(repo, filename=None, username=None, namespace=None): # [...] attachdir = os.path.join( pagure_config["ATTACHMENTS_FOLDER"], repo.fullname ) attachpath = os.path.join(attachdir, filename) if not os.path.exists(attachpath): # [...] # At this moment, attachpath exists and points to the file with open(attachpath, "rb") as f: data = f.read() # [...] return (data, 200, pagure.lib.mimetype.get_type_headers(filename, data)) The "path" routing converter accepts all characters, including slashes and thus also directory traversal sequences. Version-Release number of selected component (if applicable): Introduced with commit 96c928b in release 3.0, and verified on latest commit as of today (fe91f76). How reproducible: This bug can be reproduced on the latest development version of Pagure; see steps below. It is important to note that reverse-proxies in front of Pagure can thwart exploitation attemps depending on their configuration, as they often try to normalize the URL. This is not a security feature and it shouldn't be relied upon. I could demonstrate it locally but not on stg.pagure.io after succint tests. Steps to Reproduce: 1. Create a new repository; 2. Go to "Settings", "Project Options" and make sure that "Issue tracker" is ticked; 3. Run the command curl --path-as-is 'http://pagure.local:5000/your-repository/issue/raw/../../../../../../../etc/...'. Actual results: On my test instance, the content of /etc/passwd is shown. Expected results: Only files under the intended attachments folder should be served. Additional info: Flask offers flask.send_from_directory() (https://flask.palletsprojects.com/en/3.0.x/api/#flask.send_from_directory) for such cases. https://bugzilla.redhat.com/show_bug.cgi?id=2279411 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4982 https://bugzilla.redhat.com/show_bug.cgi?id=2280726 -- You are receiving this mail because: You are on the CC list for the bug.