Description
The /compile endpoint in gdbui_server/main.py (line 78-80) takes the name parameter from user JSON input and uses it directly in a file path without any sanitization:
name = data.get('name')
with open(f'{name}.cpp', 'w') as file:
file.write(code)An attacker can submit a request like:
{
"name": "../../etc/cron.d/malicious",
"code": "arbitrary content here"
}This would write to ../../etc/cron.d/malicious.cpp, escaping the intended directory. The same unsanitized name is also passed to subprocess.run for the output path on line 83:
result = subprocess.run(['g++', f'{name}.cpp', '-o', f'output/{name}.exe'], ...)Impact
Arbitrary file write to any path the server process has permissions for. An attacker can overwrite configuration files, write web shells, or create cron jobs.
Suggested fix
Sanitize the name parameter by stripping path separators and using os.path.basename(), or validate it against an allowlist of characters:
import re
name = data.get('name')
if not name or not re.match(r'^[a-zA-Z0-9_-]+$', name):
return jsonify({'success': False, 'error': 'Invalid file name'}), 400
Description
The
/compileendpoint ingdbui_server/main.py(line 78-80) takes thenameparameter from user JSON input and uses it directly in a file path without any sanitization:An attacker can submit a request like:
{ "name": "../../etc/cron.d/malicious", "code": "arbitrary content here" }This would write to
../../etc/cron.d/malicious.cpp, escaping the intended directory. The same unsanitizednameis also passed tosubprocess.runfor the output path on line 83:Impact
Arbitrary file write to any path the server process has permissions for. An attacker can overwrite configuration files, write web shells, or create cron jobs.
Suggested fix
Sanitize the
nameparameter by stripping path separators and usingos.path.basename(), or validate it against an allowlist of characters: