Skip to content

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in github.com/flipped-aurora/gin-vue-admin

High
piexlmax published GHSA-32gq-gj42-mw43 Apr 13, 2022

Package

gomod github.com/flipped-aurora/gin-vue-admin (Go)

Affected versions

<2.5.1

Patched versions

<2.5.1

Description

Impact

Gin-vue-admin 2.50 has arbitrary file read vulnerability.
Arbitrary file read/download vulnerability is a Web security vulnerability, which can leak source code, database configuration files, resulting in a site in an extremely insecure state, such as reading /etc/passwd.

Patches

https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/api/v1/example/exa_excel.go

func (e *ExcelApi) ExportExcel(c *gin.Context) {
	var excelInfo example.ExcelInfo
	_ = c.ShouldBindJSON(&excelInfo)
       // add that Interception logic
	if strings.Index(excelInfo.FileName, "..") > -1 {
		response.FailWithMessage("包含非法字符", c)
		return
	}

	filePath := global.GVA_CONFIG.Excel.Dir + excelInfo.FileName
	err := excelService.ParseInfoList2Excel(excelInfo.InfoList, filePath)
	if err != nil {
		global.GVA_LOG.Error("转换Excel失败!", zap.Error(err))
		response.FailWithMessage("转换Excel失败", c)
		return
	}
	c.Writer.Header().Add("success", "true")
	c.File(filePath)
}

Workarounds

Can will be affected by the first source (https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/api/v1/example/exa_excel.go), one of the 82 to 107 line commented out.

References

#1002

For more information

Affected source code: https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/api/v1/example/exa_excel.go, did not check the reason for the fileName parameter, Causes an arbitrary file to be read with the code on lines 82 through 107:

// @Tags excel
// @Summary 下载模板
// @Security ApiKeyAuth
// @accept multipart/form-data
// @Produce  application/json
// @Param fileName query string true "模板名称"
// @Success 200
// @Router /excel/downloadTemplate [get]
func (e *ExcelApi) DownloadTemplate(c *gin.Context) {
	fileName := c.Query("fileName")
	filePath := global.GVA_CONFIG.Excel.Dir + fileName

	fi, err := os.Stat(filePath)
	if err != nil {
		global.GVA_LOG.Error("文件不存在!", zap.Error(err))
		response.FailWithMessage("文件不存在", c)
		return
	}
	if fi.IsDir() {
		global.GVA_LOG.Error("不支持下载文件夹!", zap.Error(err))
		response.FailWithMessage("不支持下载文件夹", c)
		return
	}
	c.Writer.Header().Add("success", "true")
	c.File(filePath)
}

image
image

Severity

High

CVE ID

CVE-2022-24843

Weaknesses