Path traversal vulnerability to read arbitrary file

[0xDC0DE]

Description:

We are researchers at Semgrep, an open-source a static analysis tool. We regularly test new rules for this tool on open source code. During this testing we identified a potential path traversal in your codebase. The issue was found in the agent/agent.py file, specifically at line L294.

https://github.com/certsocietegenerale/fame/blob/33dee3ff3d1020ae7d216e71c176e97410db6cb4/agent/agent.py#L292-L294

In this location, form input data is used directly to read the contents of a file and send it back. With path manipulation, for example characters like ../.. an arbitrary file could be read on the server this software is running on.

Proposed Fix: One way to fix this, is by adding a check whether the requested file is part of the subdirectory structure of an approved folder.

Additional Information:

• https://owasp.org/www-community/attacks/Path_Traversal
• https://semgrep.dev/
• https://github.com/semgrep/semgrep

[Augustin-FL]

Hello,

This is correct, the code is intentionally designed to retrieve an arbitrary file on the machine. This is the expected behavior and no fix is needed here.

For context, the file agent.py is supposed to be executed on a puppet Virtual Machine (Sandbox), which will be used for malware analysis. The entire python script is designed to retrieve, but also execute arbitrary files on the puppet VM.

If you want to have more information about the agent, you can read https://fame.readthedocs.io/en/latest/installation.html#isolated-processing-modules

[0xDC0DE]

Thanks for the context and the response! I'll close the issue.