[BUG] Critical CVE File Overwrite

Question

[BUG] Critical CVE File Overwrite

caerry opened this issue 3 months ago · 1 comments

Model
Which model are you using?

Describe the bug
A clear and concise description of what the bug is.
CVE type: File Overwrite
URL: http://localhost:8080/api/v1/save_image

Poc: curl -X POST "http://localhost:8080/api/v1/save_image" -F "file=@file.mp4;filename=../../etc/passwd;"

Error is going here:

def api_save_image(self, file: UploadFile):
        filename = file.filename
        
        origin_image_bytes = file.file.read()
        with open(self.config.output_dir / filename, "wb") as fw:
            fw.write(origin_image_bytes)

No check for filename, therefore it's user-controlled. Basically, we can't name our files like "../../something", but it's not the case when we're using curl.

Screenshots
If applicable, add screenshots to help explain your problem.

System Info
Software version used

iopaint: 1.4.2
pytorch:
CUDA:

Answer 1 · 2024-10-21T23:46:50.000Z

Solution: it can be easily fixed with Pathlib's checking is_path.
pathlib.Path(filename).is_path()
Gonna create PR