In most applications, absolute paths are considered secure because they are typically verified before they are used. The Flask RESTful API allows the send_file function to be used unsafely. This means that any file on the server can be sent as a request body and therefore absolute path traversal can take place. This is demonstrated in the akashtalole/python-flask-restful-api GitHub repository through 2019-09-16 where every request (e.g., POST, PUT) can send a different file with an absolute file path.
Scenario
You are using a Flask RESTful API to create and store content in your database. You have an endpoint which stores the content of a file in the database.
CVE-2023-31572
The Flask RESTful API allows the send_file function to be used unsafely. This means that any file on the server can be sent as a request body and therefore absolute path traversal can take place. This is demonstrated in the akashtalole/python-flask-restful-api GitHub repository through 2019-09-16 where every request (e.g., POST, PUT) can send a different file with an absolute file path.
Step 1: Check the API endpoints
The first step to following this vulnerability is to check the endpoints of the application. The default endpoint for these APIs should be /api/v1/functions/send_file. This endpoint requires a filename parameter, which will be used as the request body when sending a file. In order to determine if this endpoint is vulnerable, you can send a POST request with no parameters and observe what happens. If the request is successful and a response with an HTTP 200 status code is returned, then it will clearly show that absolute path traversal is possible through send_file function.
Timeline
Published on: 07/11/2022 01:15:00 UTC
Last modified on: 07/15/2022 16:51:00 UTC