Tandoor Recipes Path Traversal Vulnerability in Recipe Import Workflow Allows Arbitrary File Read

A path traversal vulnerability has been identified in Tandoor Recipes versions prior to 2.5.1, within the RecipeImport workflow. This vulnerability allows authenticated users with import permissions to read arbitrary files on the server. The issue arises from inadequate input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling users to bypass directory restrictions and access sensitive system files, such as /etc/passwd, or application configuration files like settings.py. Exploitation of this vulnerability could lead to a full system compromise.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive files, including system files and application configuration files, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user with import permissions can send a POST request to the '/api/recipe-import/' endpoint, including a malicious file path that points to a sensitive file, such as '/etc/passwd'. After the import object is created, the user can convert it into a recipe, which will persist the malicious file path. Finally, the user can access the file through the '/api/get_recipe_file/<RECIPE_ID>/' endpoint, where <RECIPE_ID> is the ID of the imported recipe.

Remediation

Users can update to Tandoor Recipes version 2.5.1, where this vulnerability has been fixed.