Path Traversal at Slack Image Endpoint in lightdash/lightdash

Valid

Reported on

Apr 11th 2023

Summary

Lightdash version <= 0.506.4 is vulnerable to a path traversal attack, allowing an attacker to access arbitrary files on the server. This vulnerability can be exploited by appending directory traversal sequences to the image ID parameter of the Slack image endpoint, enabling the attacker to bypass access controls and read sensitive files on the server.

Description

The Slack image endpoint is designed to serve images that have been uploaded to Slack and subsequently saved on the Lightdash server. The endpoint takes an image ID as a parameter and returns the corresponding image file. The vulnerability lies in the way the server handles the image ID parameter, which is not properly sanitized or validated.

Proof of Concept

An attacker can exploit this vulnerability by appending directory traversal sequences (e.g., "../") to the image ID parameter, which tricks the server into serving files outside the intended directory. In the vulnerable code snippet, the server constructs a file path based on the image ID parameter and checks whether the file exists. However, the check is not sufficient to prevent path traversal attacks, as it only checks whether the file exists in a specific directory (/tmp) and does not prevent access to files outside that directory.

Steps to Reproduce

*) Required.

  1. Install the Lightdash server & database. (*)
  2. Connect Lightdash to a dbt project and add some metrics.
  3. Create and share insights with your team.
  4. Craft a request to the Slack image endpoint with a malicious image ID parameter that includes directory traversal sequences.(*) For example:
https://demo.lighthouse.com/api/v1/slack/image/slack-image%2F..%2F..%2F..%2Fetc%2Fpasswd
  1. Send the request to the server.
  2. The server will respond with the contents of the /etc/passwd file.

Recommended Mitigation

To mitigate this vulnerability, it is recommended that the image ID parameter is properly validated and sanitized before passing it to path.join(). Specifically, any directory traversal sequences should be removed or rejected, and the resulting file path should be checked to ensure that it is within the intended directory structure. Additionally, it may be helpful to limit the files and directories that can be accessed through the /api/v1/slack/image route to a specific whitelist.

Impact

This vulnerability allows an unauthenticated attacker to access sensitive files on the server, leading to potential information disclosure.

We are processing your report and will contact the lightdash team within 24 hours. a month ago
Dwi Siswanto modified the report
a month ago
We have contacted a member of the lightdash team and are waiting to hear back a month ago
Dwi Siswanto
a month ago

Researcher

Hey, @admin. Silent fix just rolled out, is there any updates?

Pavlos
a month ago

Admin

can you provide a patch commit sha? for a CVE feel free to ask them and show us otherwise they will have to come on platform

We have sent a follow up to the lightdash team. We will try again in 7 days. a month ago
Dwi Siswanto
a month ago

Researcher

@admin - Here are the patch: https://github.com/lightdash/lightdash/commit/fcc808c84c2cc3afb343063e32a49440d32a553c

We have sent a second follow up to the lightdash team. We will try again in 10 days. a month ago
Pavlos validated this vulnerability 23 days ago
Dwi Siswanto has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 0.510.3 with commit fcc808 23 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Pavlos published this vulnerability 23 days ago
slackRouter.ts#L66-L71 has been validated
to join this conversation