Gleam Path Traversal Vulnerability in Documentation Handling Allows Arbitrary File Read and Write

A path traversal vulnerability has been identified in Gleam's management of custom documentation pages. This issue allows arbitrary file reading and writing outside the designated documentation output directory. The vulnerability arises because entries in the 'documentation.pages' section of 'gleam.toml' are integrated into filesystem paths without adequate validation, potentially leading to the exposure of local files or the unauthorized writing of documentation files to unintended locations. The vulnerability affects Gleam versions 1.16.0 prior to 1.17.0.

Impact

Exploitation of this vulnerability could result in unauthorized access to local files, such as '/etc/passwd', which could be embedded in generated documentation. Additionally, the vulnerability allows for the creation of documentation files outside the intended output directory, potentially overwriting important files or disrupting project organization.

Reproduction

To reproduce this vulnerability, create a 'gleam.toml' file with custom documentation pages that include relative paths, such as '../..' or Windows-style path separators. Then, run 'gleam docs build' on an untrusted project or with untrusted 'gleam.toml' content. This will trigger the path traversal, allowing access to files outside the project directory or writing files to unintended locations.

Remediation

Users can upgrade to Gleam version 1.17.0 or later, where this vulnerability has been fixed. For those using version 1.16.0, it is recommended to review 'documentation.pages' entries in 'gleam.toml' before generating documentation, and to run documentation generation in a restricted or isolated environment, such as a container.