pygeoapi STAC FileSystemProvider Path Traversal Vulnerability

A path traversal vulnerability has been identified in the STAC FileSystemProvider plugin of pygeoapi, a Python server implementation of OGC API standards. This vulnerability affects pygeoapi versions 0.23.0 prior to 0.23.3. The issue arises from raw string path concatenation that can lead to unauthorized exposure of directories when STAC collection-based resources are configured. The vulnerability is particularly problematic when pygeoapi is deployed without a proxy or web front end to normalize URLs containing '..' values.

Impact

Exploitation of this vulnerability allows unauthorized access to directories through STAC collection-based requests, potentially leading to exposure of sensitive files or information.

Reproduction

To reproduce this vulnerability, deploy pygeoapi version 0.23.0 prior to 0.23.3 without a proxy or web front end that normalizes URLs. Configure a resource of type 'stac-collection' and make a request to a STAC collection-based collection. The response will include unauthorized directory listings.

Remediation

Users are advised to update pygeoapi to version 0.23.3, which addresses the vulnerability by implementing proper path validation. The update can be downloaded from the pygeoapi GitHub releases page.