Path Traversal at Slack Image Endpoint in lightdash/lightdash
Apr 11th 2023
Lightdash version <= 0.506.4 is vulnerable to a path traversal attack, allowing an attacker to access arbitrary files on the server. This vulnerability can be exploited by appending directory traversal sequences to the image ID parameter of the Slack image endpoint, enabling the attacker to bypass access controls and read sensitive files on the server.
The Slack image endpoint is designed to serve images that have been uploaded to Slack and subsequently saved on the Lightdash server. The endpoint takes an image ID as a parameter and returns the corresponding image file. The vulnerability lies in the way the server handles the image ID parameter, which is not properly sanitized or validated.
Proof of Concept
An attacker can exploit this vulnerability by appending directory traversal sequences (e.g., "
../") to the image ID parameter, which tricks the server into serving files outside the intended directory. In the vulnerable code snippet, the server constructs a file path based on the image ID parameter and checks whether the file exists. However, the check is not sufficient to prevent path traversal attacks, as it only checks whether the file exists in a specific directory (
/tmp) and does not prevent access to files outside that directory.
Steps to Reproduce
- Install the Lightdash server & database. (*)
- Connect Lightdash to a dbt project and add some metrics.
- Create and share insights with your team.
- Craft a request to the Slack image endpoint with a malicious image ID parameter that includes directory traversal sequences.(*) For example:
- Send the request to the server.
- The server will respond with the contents of the
To mitigate this vulnerability, it is recommended that the image ID parameter is properly validated and sanitized before passing it to
path.join(). Specifically, any directory traversal sequences should be removed or rejected, and the resulting file path should be checked to ensure that it is within the intended directory structure. Additionally, it may be helpful to limit the files and directories that can be accessed through the
/api/v1/slack/image route to a specific whitelist.
This vulnerability allows an unauthenticated attacker to access sensitive files on the server, leading to potential information disclosure.