Description
The /upload_file endpoint in gdbui_server/main.py (lines 91-105) takes the name form field from user input and uses it to construct the file save path with no sanitization:
name = request.form['name']
file_path = os.path.join('output/', ensure_exe_extension(name))
file.save(file_path)os.path.join('output/', '../../../../tmp/evil') resolves to ../../../../tmp/evil, so an attacker can upload a file to any location on the filesystem by providing a crafted name value.
Impact
Arbitrary file upload to any writable path. Combined with the .exe extension enforcement (which only appends .exe if not already present), an attacker can write executable files to arbitrary directories.
Suggested fix
Same approach as the /compile fix -- validate the name against a safe pattern and use os.path.basename():
from werkzeug.utils import secure_filename
name = secure_filename(request.form['name'])
if not name:
return jsonify({'success': False, 'error': 'Invalid file name'}), 400
file_path = os.path.join('output/', ensure_exe_extension(name))Flask's werkzeug.utils.secure_filename strips path separators and other dangerous characters.
Description
The
/upload_fileendpoint ingdbui_server/main.py(lines 91-105) takes thenameform field from user input and uses it to construct the file save path with no sanitization:os.path.join('output/', '../../../../tmp/evil')resolves to../../../../tmp/evil, so an attacker can upload a file to any location on the filesystem by providing a craftednamevalue.Impact
Arbitrary file upload to any writable path. Combined with the
.exeextension enforcement (which only appends.exeif not already present), an attacker can write executable files to arbitrary directories.Suggested fix
Same approach as the
/compilefix -- validate thenameagainst a safe pattern and useos.path.basename():Flask's
werkzeug.utils.secure_filenamestrips path separators and other dangerous characters.