Summary ZIP files uploaded to the server-side endpoint handling a CodeChecker store are not properly sanitized. An attacker can exercise a path traversal to make the CodeChecker server load and display files from an arbitrary location on the server machine. Details Target The vulnerable endpoint is /<PRODUCT_URL>/v6.53/CodeCheckerService@massStoreRun. Exploit overview The attack is made possible by improper sanitization at one point in the process. When the ZIP file is uploaded by CodeChecker store, it is first unzipped to a temporary directory (safely). When deciding which files to insert into CodeChecker's internal database, the decision is made based on the content_hashes.json in the ZIP. An attacker has control over the contents of this file. After reading that file, the paths specified in the JSON are normalized by this code: https://github.com/Ericsson/codechecker/blob/fa41e4e5d9566b5a4f5a80a27bddec73a5146f5a/web/server/codechecker_server/api/mass_store_run.py#L442-L444 Providing sufficiently many ../../s inside the content_hashes.json, an attacker can control the insertion of completely arbitrary files into CodeChecker's internal database. This is confirmed in the log output: mass_store_run.py:444 __store_source_files() – Storing source file: /etc/passwd Once the file is inserted into the internal database, it can be displayed trivially on the Web interface. As CodeChecker doesn't distinguish between filenames after the ZIP is extraced, an attacker can define…Read More