Datart Directory Traversal Vulnerability Allowing Arbitrary File Upload and Potential Remote Code Execution

A directory traversal vulnerability has been identified in Datart version 1.0.0-rc.3. The issue arises in the application's handling of configuration files, specifically through the POST /api/v1/files/viz/image interface. The server directly saves uploaded files to a user-controllable path without proper validation of the filename. This flaw allows attackers to upload arbitrary YAML files to the config/jdbc-driver-ext.yml location. Once uploaded, the application parses these files using SnakeYAML's unsafe load() methods, enabling the deserialization of attacker-controlled content and leading to arbitrary class instantiation. Under certain conditions, this vulnerability can be exploited to achieve remote code execution.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, deserialization of malicious YAML content, arbitrary class instantiation, and potentially remote code execution on the server.

Reproduction

To reproduce this vulnerability, upload a file through the POST /api/v1/files/viz/image interface. Specify a filename that includes directory traversal sequences to navigate to the config directory and overwrite the jdbc-driver-ext.yml file. Once the file is uploaded, the application will parse it using an unsafe method, allowing for the execution of arbitrary code if certain conditions are met.