666ghj MiroFish Path Traversal Vulnerability in Query Parameter Handler

A path traversal vulnerability has been identified in 666ghj MiroFish versions through 0.1.2. The issue arises in the Query Parameter Handler component, specifically within the get_simulation_posts function of backend/app/api/simulation.py. The vulnerability allows for arbitrary SQLite database reads by manipulating the platform query parameter. The lack of validation on the platform argument enables attackers to inject ../ sequences, potentially accessing any SQLite database file that ends with _simulation.db from various directories on the server. This vulnerability can be exploited remotely without authentication.

Impact

Successful exploitation allows for unauthorized access to and reading of arbitrary SQLite databases, including those containing sensitive simulation data. This could lead to cross-tenant data theft, where one user accesses another's private simulation results. The vulnerability also exists in the get_simulation_comments function, although it hardcodes the platform value, limiting the impact to the posts endpoint.

Reproduction

To reproduce this vulnerability, send a GET request to the /api/simulation/<simulation_id>/posts endpoint with a crafted platform query parameter that includes ../ sequences. This will traverse the file path and access the targeted SQLite database. The vulnerability can also be exploited through the /comments endpoint, but with a different impact.

Remediation

Whitelist the platform parameter to allow only predefined values, such as 'twitter' or 'reddit'. This can be done by modifying the get_simulation_posts and get_simulation_comments functions to include a validation step that checks the platform value against an allowed list.