Saltcorn Path Traversal Vulnerability in Sync Endpoints Allows Arbitrary File Write and Directory Read

A path traversal vulnerability has been identified in Saltcorn, an open-source no-code database application builder, affecting versions prior to 1.4.5, 1.5.5, and 1.6.0-beta.4. The vulnerability exists in two unauthenticated sync endpoints: 'POST /sync/offline_changes' and 'GET /sync/upload_finished'. The 'POST' endpoint allows attackers to create arbitrary directories and write a 'changes.json' file with custom JSON content anywhere on the server filesystem. The 'GET' endpoint enables attackers to list directory contents and read specific JSON files from any directory.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary directory creation and JSON file writing to any writable directory on the server. Additionally, it permits unauthenticated directory listing and reading of certain JSON files from arbitrary directories. There is also potential for remote code execution by writing to sensitive paths such as cron, systemd, or Node.js module directories.

Reproduction

To reproduce this vulnerability, send a POST request to the '/sync/offline_changes' endpoint without authentication. Include a 'newSyncTimestamp' parameter set to a path traversal string that resolves outside the intended directory, along with 'changes' containing the desired JSON payload. After the file is written, send a GET request to the '/sync/upload_finished' endpoint with a 'dir_name' parameter that traverses to a directory containing one of the target JSON files to read its contents.

Remediation

The vulnerability can be remediated by applying the 'File.normalise_in_base()' function to both affected endpoints, similar to the existing implementation in the 'clean_sync_dir' endpoint. Additionally, 'loggedIn' middleware should be added to endpoints that modify server state.