CVE-2022-31504: [security] Path traversal due to incorrect input sanitization. by porcupineyhairs · Pull Request #3 · ChangeWeDer/BaiduWenkuSpider_flaskWeb

Vulnerability Report****Summary

There exists a path traversal vulnerability in the /<path:url>/<path:filename> route. This occurs as attacker controlled values are used directly in the send_from_directory call.

The vulnerability can be attributed to the following block of code.

@app.route(“/<path:url>/<path:filename>”)

def downloader(url,filename):

dirpath = os.path.join(app.root_path, url) # 下载文件目录路径

return send_from_directory(dirpath, filename, as_attachment=True) # as_attachment=True 一定要写，不然会变成打开，而不是下载

os.path.join call is not safe when used with untrusted input. It does not behave well when linux and windows file schemes are mixed and can lead to path traversal vulnerabilities.

Remediation

The code in this PR should fix the underlying issue.

GitHub Security Advisories

If possible, please could you create a GitHub Security Advisory for these findings?
When you use a GitHub Security Advisory, you can request a CVE identification number from GitHub. GitHub usually reviews the request within 72 hours, and the CVE details will be published after you make your security advisory public. Publishing a GitHub Security Advisory and a CVE will help notify the downstream consumers of your project, so they can update to the fixed version.