[SECURITY] awful-salmonella-tar: path traversal vulnerability

[Mario Domenech Goulart]

Hi,

A ..%2F path traversal vulnerability exists in the path handler of
awful-salmonella-tar before version 0.0.4.  Attackers can only list
directories (not read files). This occurs because the `safe-path?'
predicate is not used for directories.

This vulnerability would allow attackers to navigate through the
filesystem of the server (provided execute access to directories for the
user running the web server).  Attackers could only list the contents of
directories -- not download files.

The vulnerability was caused by the lack of a check for the validity
requested paths when handling directories, notably when `..%2F' (`../'
URL-encoded) was present in requested paths.

Background:

awful-samonella-tar [3] is implemented using awful [0].  Awful is
implemented on top of spiffy [1], and overrides the `(handle-not-found)'
parameter to map URL paths to procedures.  Spiffy takes some precautions
regarding dealing with malicious paths when it handles static files.
Code that uses spiffy to implement generation of dynamic content (like
awful does), must take their own precautions.

awful-salmonella-tar uses a procedure (`safe-path?') with a relatively
strict policy to allow access to files, but it was not being used to
validate access to directories, and that was causing the vulnerability.

The fix [2] consists of applying the `safe-path?' procedure to all
requested paths.

Thanks to Chris Brannon for responsibly reporting this issue.

This issue has been assigned CVE-2022-25358.

[0] https://wiki.call-cc.org/eggref/5/awful
[1] https://wiki.call-cc.org/eggref/5/spiffy
[2] 
https://github.com/mario-goulart/awful-salmonella-tar/commit/f705c881769b7610745cd4b4d8ae8b41b3f4f845
[3] https://wiki.call-cc.org/eggref/5/awful-salmonella-tar

All the best.
Mario
-- 
http://parenteses.org/mario