danswer-ai Danswer ZulipConnector Arbitrary File Overwrite Vulnerability

An arbitrary file overwrite vulnerability has been identified in the ZulipConnector of the danswer-ai/danswer application, specifically in the latest version. This vulnerability arises in the load_credentials method, where user-controlled input for realm_name and zuliprc_content is used to create file paths and write file contents. As a result, attackers can overwrite or create arbitrary files if a zuliprc- directory already exists in the temporary directory.

Impact

Exploitation of this vulnerability allows for arbitrary file overwrite or creation, depending on whether the target file already exists.

Reproduction

To reproduce this vulnerability, first create a ZulipConnector and provide a realm_name that includes path traversal sequences to target a specific file location. Then, input arbitrary content into the zuliprc_content field, which will be written to a file in the temporary directory. If the zuliprc- directory for the specified realm_name already exists, the contents will overwrite the existing file. If it does not exist, a new file will be created, potentially allowing for further exploitation.

Remediation

The vulnerability can be mitigated by using a safer method for creating temporary files, such as tempfile.NamedTemporaryFile, which securely handles file creation and reduces the risk of arbitrary file overwrite or creation.