Gradio Path ACL Bypass Vulnerability Allowing Unauthorized File Access

A vulnerability in Gradio's Access Control List (ACL) for file paths allows for bypassing restrictions on blocked files or directories. This issue arises from the absence of case normalization in the file path validation process. On case-insensitive file systems like those used by Windows and macOS, attackers can exploit this flaw to access sensitive files that should be protected. The vulnerability could lead to unauthorized data access, exposing critical information and compromising Gradio's security model. This issue affects Gradio versions prior to 5.6.0 and has been addressed in version 5.6.0.

Impact

Exploiting this vulnerability can result in unauthorized access to sensitive files or directories specified in the blocked_paths parameter, potentially leading to the exposure of critical data such as configuration files or user information. This breach could allow for a broader compromise of the application or system, especially if the accessed files contain sensitive credentials or API keys.

Reproduction

To reproduce this vulnerability, deploy a Gradio demo app on a case-insensitive operating system such as Windows or macOS. In the app, set the blocked_paths parameter to include a directory that contains a sensitive file, such as a credential file. After launching the app, access the sensitive file by altering the case of the blocked path in the request. The ACL bypass will be successful, granting access to the previously restricted file.

Remediation

Users are advised to upgrade to Gradio version 5.6.0 or later, where this vulnerability has been fixed. Additionally, developers should be cautious when deploying Gradio applications on case-insensitive file systems, as this vulnerability could be exploited to bypass security restrictions and access sensitive data.