[porcupiney.hairs]: [Python] Add Flask Path injection sinks #407

ghost · 2021-07-19T20:46:44Z

Query

CVE ID(s)

No CVE's issued yet.

Report

Flask's send_file and send_from_directory calls can allow a remote attacker to potentially access any file stored on the system if the path is controlled by them.

This can lead to a variety of issues such as

Credential leakage : An attacker may be able to access a config file with credentials stored in it.
Downloading of source code : An attacker may be able to download the code of the entire website which can lead to further compromise.
In certain cases, it may even result in remote code execution too.

This query modifies the existing Python path injection query to add support for the same.

Result(s)

The query is not run on lgtm yet. However, by using fuzzy search, I was able to find out multiple true positives for this query.

The text was updated successfully, but these errors were encountered:

antonio-morales · 2021-07-22T12:41:30Z

Hi @porcupineyhairs

in order to meet the new submission criteria, you need to support your submission with a CVE mapping (old or new) not previously covered by any existing CodeQL query. See https://securitylab.github.com/bounties for more details.

And unfortunately, I can not consider your search in Github as valid results.

I look forward to your CodeQL results :)

Regards,
Antonio.

ghost · 2021-10-21T22:47:36Z

@antonio-morales Just a quick update. I have found multiple valid results with this query. I applied for corresponding CVE mappings from MITRE a couple of weeks back but haven't heard back from them yet. So looks like this bounty application may have to be kept pending for some more time.

RasmusWL · 2021-10-28T09:41:12Z

Since the PR was looking good, I merged it to be part of the standard modeling for Python.

ghost · 2021-10-29T20:02:10Z

With @RasmusWL's PR merged, this query now detects CVE-2021-41185. I have also created a new Pr github/codeql#7009 to add a few more sanitizers. These should help reduce FP's.

haby0 · 2021-11-01T09:29:01Z

The CVE I found was used.

ghost · 2021-11-01T20:00:02Z

@haby0 My query has multiple alerts. I have applied for a CVE for some of these alerts. But it's been almost two months now and I haven't been issued a CVE-ID by MITRE. To be clear, this query has enough detection to qualify for Bug Slayer but in the absence of a CVE-ID I can't do much.

Your CVE which I use here is just speeding things up a bit while I wait on MITRE for a CVE ID. I am not claiming bounty for an otherwise ineligible report.

haby0 · 2021-11-02T04:46:22Z

@haby0 My query has multiple alerts. I have applied for a CVE for some of these alerts. But it's been almost two months now and I haven't been issued a CVE-ID by MITRE. To be clear, this query has enough detection to qualify for Bug Slayer but in the absence of a CVE-ID I can't do much.

Your CVE which I use here is just speeding things up a bit while I wait on MITRE for a CVE ID. I am not claiming bounty for an otherwise ineligible report.

I think you may have misunderstood my meaning. My original intention was mentioned in #463 yesterday.

pwntester · 2021-11-02T10:17:14Z

The CVE I found was used.

When this query was submitted there was no requirement for the query to find a new or existing CVE.
With the current requirements, its not required that your queries find a novel CVE, just that it finds any existing CVE. Its not mandatory that it needs to find a novel CVE found by you.

haby0 · 2021-11-02T11:14:35Z

The CVE I found was used.

When this query was submitted there was no requirement for the query to find a new or existing CVE. With the current requirements, its not required that your queries find a novel CVE, just that it finds any existing CVE. Its not mandatory that it needs to find a novel CVE found by you.

@pwntester Well, I think this CVE can be used directly. @porcupineyhairs

ghost · 2021-11-10T21:02:40Z

The PR is now merged.

ghsecuritylab · 2021-11-18T13:54:09Z

Your submission is now in status Test run.