pyLoad Arbitrary Directory Write Vulnerability in set_package_data API Function

A path traversal vulnerability has been identified in pyLoad versions through 0.5.0b3.dev99. The issue arises in the set_package_data() API function, where folder names passed without proper sanitization allow users with modify permissions to specify arbitrary download locations. This vulnerability could be exploited to write files outside the intended download directory, potentially leading to unauthorized file access or modification.

Impact

Exploitation of this vulnerability allows for absolute path traversal, enabling files to be written in any directory where the pyLoad process has write permissions.

Reproduction

To reproduce this vulnerability, first create a package using the API. Note the response package ID. Then, call the set_package_data() function for this package ID, including an arbitrary directory in the data object under the '_folder' key. After this, the specified download folder will be set without any validation checks, allowing files to be downloaded to the chosen directory.

Remediation

Users are advised to update to pyLoad version 0.5.0b3.dev100, where this vulnerability has been fixed.