Sanster IOPaint Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Sanster IOPaint version 1.5.3, specifically within the File Manager component. The issue arises in the `_get_file` function of `iopaint/file_manager/file_manager.py`, where the `filename` parameter from user HTTP query strings is concatenated with a base directory path without proper validation or sanitization. This flaw enables remote attackers to manipulate the filename argument to escape the intended directory and access arbitrary files on the server.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files from the server's filesystem, including sensitive system files, application configuration files, cryptographic keys, source code, and user data accessible to the process user.

Reproduction

To reproduce this vulnerability, IOPaint must be installed and started with the `--input` parameter pointing to a directory. Once the application is running and accessible, the vulnerability can be exploited by sending a GET request to the `/api/v1/media_file` or `/api/v1/media_thumbnail_file` endpoint with a crafted filename parameter that includes `../` sequences to traverse the file system and access restricted files.

Remediation

The vulnerability can be addressed by implementing proper validation and sanitization of the filename parameter to prevent path traversal. This includes rejecting any path separators, extracting only the filename component, and verifying that the resolved path remains within the base directory before allowing access.