BusterNeece
commented
6 months ago @molangning So my assumption here was that the Flysystem filesystem abstraction library would mitigate against this, and after looking through the relevant code, it turns out I'm correct in that assumption, but only when traversing outside the volume managed by Flysystem itself.
In this case, what that means is that you could load other user-uploaded images provided you know their unique identifiers (like the example), but if you were to traverse outside the user-uploaded content volume (i.e. to try to traverse to /etc/passwd), this would not be possible and would yield an exception.
Rather than try to implement more code on top of Flysystem's existing traversal detection code, I consider this specific level of traversal to be completely acceptable, since the only visible content would be publicly visible content anyway.
Currently there is a way to include a file using directory traversal
Vulnerable path
/api/artist/{random-artist-id}\..\..\{target path}/art-1709773367.jpgExample to get file through lfi:
curl "https://furrymusicians.info/api/artist/random\..\..\labels\1eedc13d-1a3f-6ed8-a3a8-6710d4c4554b/art-1709773367.jpg" --output temp.jpgThis vulnerbility is dangerous as it can be chained with other attacks to achieve rce.
One of the ways to migrate this vulnerability can be by passing the path through
realpath, checking file type at path, or by terminating the request if there is double dots (..) inartist_id.