Internetarchive Library Directory Traversal Vulnerability in File.download() Method

A directory traversal vulnerability has been identified in the internetarchive library, specifically in the File.download() method, for versions through 5.5.0. The vulnerability arises because the method fails to properly sanitize user-supplied filenames or validate the final download path. This oversight allows maliciously crafted filenames to include path traversal sequences or illegal characters, potentially leading to files being written outside the intended target directory. As a result, an attacker could overwrite critical system or application configuration files, causing a denial of service, privilege escalation, or remote code execution, depending on the library's usage context. While all operating systems are affected, the vulnerability is especially critical for Windows users.

Impact

Exploitation of this vulnerability could allow for directory traversal attacks, with the potential to overwrite critical system files or application configuration files. Such actions could lead to a denial of service, privilege escalation, or remote code execution, depending on the context in which the library is used.

Reproduction

The vulnerability can be reproduced by using the File.download() method with a filename that includes path traversal sequences or illegal characters. This will cause the file to be written outside the intended target directory, potentially overwriting critical system or application files.

Remediation

Users are advised to upgrade to version 5.5.1 or later, which addresses the vulnerability by introducing automatic filename sanitization, path resolution checks to block directory traversal attacks, and warnings when filenames are sanitized. For those unable to upgrade, implementing a custom download function that sanitizes filenames and validates download paths can serve as a temporary workaround.