Path traversal vulnerability without Session

Question

Path traversal vulnerability without Session

Opened this issue 7 years ago · 0 comments

Hi,

I've noticed that the function 'def giveOutStaticFile' does not properly sanitize the 'uri' variable:

filename = params[:uri]+ext
filepath = "../../../../vendor/#{Mathjax::Rails::DIRNAME}/#{filename}"

extname = File.extname(filename)[1..-1]
mime_type = Mime::Type.lookup_by_extension(extname)
options = Hash.new
options[:type] = mime_type.to_s unless mime_type.nil?
options[:disposition] = 'inline'
file = File.expand_path(filepath, __FILE__)

So it is possible to inject URLs like:
/mathjax/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd
or on heroku apps:
/mathjax/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../apps/Gemfile

Suggested fix (please check the PR: #25)
return render status: 404 if Pathname.new(filename).cleanpath.to_s != filename
Please consider that params[:uri] and params[:ext] could be subject to path traversal since both are included in the 'filename' variable.

If there is anything I can help you with, please feel free to ask.

Best regards,
Oliver Kuster