PTC-W6004 · Audit required: External control of file name or path

OreosLab / SSRSpeedN

Active

Audit required: External control of file name or path PTC-W6004

Security

Minor

2 years ago — 2 years old

a01 a04 cwe-73 owasp top 10

External variable 'filename' used in file path

ssrspeed/result/pusher/pusher.py

 8        return result
 9    try:
10        logger.info(f"Pushing {filename} to server.")
11        files = {"file": open(filename, "rb")}12        param = {"token": token, "remark": remark}
13        rep = requests.post(server, files=files, data=param, timeout=10)
14        result["status"] = rep.status_code

External variable 'filename' used in file path

ssrspeed/result/importer/importer.py

2
3
4def import_result(filename: str) -> list:
5    with open(filename, "r", encoding="utf-8") as f:6        fi = json.load(f)
7    return fi

External variable 'filename' used in file path

ssrspeed/parser/v2ray/vmess.py

 99        return self.__decoded_configs
100
101    def parse_gui_config(self, filename: str) -> Union[list, bool]:
102        with open(filename, "r", encoding="utf-8") as f:103            try:
104                config = json.load(f)
105            except Exception:

External variable 'filename' used in file path

ssrspeed/parser/v2ray/vclash.py

70        return self.__decoded_configs
71
72    def parse_gui_config(self, filename: str) -> list:
73        with open(filename, "r+", encoding="utf-8") as f:74            try:
75                clash_cfg = yaml.load(f, Loader=yaml.FullLoader)
76            except Exception:

External variable 'filename' used in file path

ssrspeed/parser/ss/sclash.py

73        return self.__config_list
74
75    def parse_gui_config(self, filename: str) -> list:
76        with open(filename, "r+", encoding="utf-8") as f:77            try:
78                clash_cfg = yaml.load(f, Loader=yaml.FullLoader)
79            except Exception:

Description

Python's open() function can take in a relative or absolute path and read its file contents. If a user is provided direct access to the path that is opened, it can have serious security risks.

Bad practice

def read_file(path):
    with open(os.path.join('some/path', path)) as f:
        f.read()

# Someone can exploit `read_file` and see your secrets this way:
read_file('../../../secrets.txt')

References

OWASP Top 10 2021 Category A01 - Broken Access Control
OWASP Top 10 2021 Category A04 - Insecure Design
CWE-73 External Control of File Name or Path

OreosLab / SSRSpeedN

Bad practice

Recommended

References