aimhubio aim LockManager Path Traversal Vulnerability Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in the `LockManager.release_locks` function of aimhubio/aim, specifically in commit bb76afe. This vulnerability allows for arbitrary file deletion by exploiting the `run_hash` parameter, which is user-controllable and concatenated into a file path without proper normalization. The issue arises in the `Repo._close_run()` method, accessible through the tracking server instruction API, enabling an attacker to delete any file on the server running the tracking server.

Impact

Exploitation of this vulnerability leads to arbitrary file deletion on the server where the aim tracking server is running.

Reproduction

To reproduce this vulnerability, start the aim tracking server by running 'aim init' followed by 'aim server'. Then, execute a Python script that sends a request to the tracking server's instruction API, targeting the '_close_run' method of the 'Repo' resource. Include an absolute path of a file to be deleted as the 'run_hash' argument. When the request is processed, the specified file will be deleted, leaving an empty directory in its place.