Steel Browser Path Traversal Vulnerability in File Upload Handling

A critical path traversal vulnerability has been identified in Steel Browser versions through 0.1.3. The issue arises in the 'handleFileUpload' function within 'files.routes.ts', where the 'filename' argument is manipulated, leading to unauthorized file write operations. This vulnerability can be exploited remotely by sending crafted file upload requests that traverse the file system, potentially overwriting important files or disrupting the application's functionality.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, with the potential to overwrite existing files or disrupt the application's normal operations. Additionally, there are concerns that this could be leveraged to gain a shell from the container for further penetration, especially in cloud services not initiated by the user.

Reproduction

To reproduce this vulnerability, add 'extra_hosts: - "host.docker.internal:host-gateway"' to the 'docker-compose.dev.yml' file. Then, launch the Docker container with 'docker compose -f docker-compose.dev.yml up --build'. After the container is running, set up an HTTP server on the host that responds with a file name including path traversal characters. Finally, send a POST request to the application's file upload endpoint, including the URL of the HTTP server response as a fileUrl. The response should indicate that a file has been written to the container's file system, demonstrating the path traversal exploit.

Remediation

Users are advised to update to the latest version of Steel Browser, where this vulnerability has been patched.