fohrloop dash-uploader Directory Traversal Vulnerability Allowing Remote Code Execution

A directory traversal vulnerability has been identified in fohrloop dash-uploader versions 0.1.0 through 0.7.0a2. This vulnerability allows remote attackers to execute arbitrary code by exploiting the dash_uploader/httprequesthandler.py components, specifically the BaseHttpRequestHandler.get_temp_root() and BaseHttpRequestHandler._post() methods. The vulnerability arises because user-controlled parameters are passed directly to file handling functions without proper validation, enabling attackers to manipulate file paths and execute malicious code.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to any directory accessible by the server process. This could lead to remote code execution by placing a malicious file in a location that is executed by the Python interpreter, such as the site-packages directory or a user's cron jobs.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the upload endpoint (/API/dash-uploader) with the 'upload_id' parameter set to a path traversal sequence that escapes the default upload directory, such as '../../../../usr/local/lib/python3.10/site-packages'. Include the 'resumableFilename' and 'resumableIdentifier' parameters to control the final filename and the temporary directory creation, respectively. The default library configuration is vulnerable and can be exploited with a single command using curl.

Remediation

Users are advised to migrate to the built-in 'dcc.Upload' component of Plotly Dash, which does not expose a filesystem-writing handler or allow client-controlled destination paths. If 'dash-uploader' must be used, place the upload endpoint behind authentication and validate the 'upload_id', 'resumableFilename', and 'resumableIdentifier' parameters against a strict allowlist. Alternatively, a custom Flask upload handler can be implemented.