From 9e1a5c49cfbc730fd361d87eeb6be74fca6cf6a7 Mon Sep 17 00:00:00 2001
From: Dominik Wombacher <dominik@wombacher.cc>
Date: May 24 2024 14:29:35 +0000
Subject: fix: Path traversal in view_issue_raw_file()


Use 'werkzeug.security.safe_join()' instead of plain 'os.path.join()'
to sanitize user-provided filename variable and avoid escaping the base directory.

Vulnerability discovered by Thomas Chauchefoin <thomas@chauchefoin.fr>

Fixes: rhbz#2279411, rhbz#2280728, rhbz#2280726, CVE-2024-4982

Signed-off-by: Dominik Wombacher <dominik@wombacher.cc>

---

diff --git a/pagure/ui/issues.py b/pagure/ui/issues.py
index 1f90e30..26efbe2 100644
--- a/pagure/ui/issues.py
+++ b/pagure/ui/issues.py
@@ -25,6 +25,7 @@ from math import ceil
 import flask
 import pygit2
 import werkzeug.datastructures
+import werkzeug.security
 from binaryornot.helpers import is_binary_string
 from six.moves.urllib.parse import urljoin
 from sqlalchemy.exc import SQLAlchemyError
@@ -1483,7 +1484,10 @@ def view_issue_raw_file(repo, filename=None, username=None, namespace=None):
     attachdir = os.path.join(
         pagure_config["ATTACHMENTS_FOLDER"], repo.fullname
     )
-    attachpath = os.path.join(attachdir, filename)
+
+    # sanitize path, filename must be inside attachdir to be valid
+    attachpath = werkzeug.security.safe_join(attachdir, filename)
+
     if not os.path.exists(attachpath):
         if not os.path.exists(attachdir):
             os.makedirs(attachdir)