GHSA-9CP7-J3F8-P5JX: Unauthenticated Path Traversal and Zip Slip in Daptin

Daptin is a Backend-as-a-Service (BaaS) and headless CMS project. GHSA-9CP7-J3F8-P5JX details a critical vulnerability affecting file upload and archiving functionalities within the Daptin core. Multiple endpoints fail to properly sanitize user-supplied file paths and archive entries before performing filesystem operations.

This improper handling allows unauthenticated remote attackers to write arbitrary files outside intended directories. The vulnerability encompasses both classical Path Traversal (CWE-22) and Zip Slip (CWE-29) variants. The application exposes these unsafe functions across numerous handlers without requiring user authentication.

Successful exploitation yields unauthenticated arbitrary file write capabilities. This capability routinely leads to Remote Code Execution (RCE) depending on the environment configuration and the privilege level of the Daptin process.

The fundamental flaw originates from the application passing unsanitized user input directly to Go's filepath.Join and path.Join functions. These functions dictate the target destination for file write operations across various application modules. In Go, if the second argument to filepath.Join contains absolute paths or directory traversal sequences like ../../, the resulting path successfully escapes the intended base directory.

Daptin implemented this vulnerable pattern across multiple distinct subsystems. The unzip function within server/actions/action_cloudstore_file_upload.go joined a target directory with the unsanitized file.Name from ZIP entries. This represents a textbook Zip Slip vulnerability.

Other upload handlers utilized user-controlled parameters, specifically fileName and atPath, directly in target path construction. This included Base64 upload handlers, streaming handlers via AssetUploadHandler, and multipart metadata parsing routines. The conversion logic for CSV and XLS files similarly saved temporary files using unsanitized request metadata.

The integrated FTP server in server/ftp_server.go failed to restrict the OpenFile and GetFileInfo commands to the user's designated sandbox. Additionally, the SubsiteRequestHandler in server/subsite_handler.go improperly resolved paths for hosted sub-sites, extending the traversal risk to sub-site request handling.

Attackers exploit this vulnerability without authentication by targeting the vulnerable file processing endpoints. The attack requires crafting malicious HTTP requests or malicious archive files depending on the targeted handler. The endpoints perform no access control validation prior to evaluating the file paths.

For the Zip Slip vector, an attacker creates a ZIP archive containing file entries with traversal sequences in their names, such as ../../../../tmp/malicious.sh. The attacker then uploads this archive to the cloud store file upload endpoint. The application extracts the contents to the resolved, out-of-bounds locations on the filesystem.

For direct path traversal attacks, the attacker specifies malicious paths within query parameters or JSON body fields. An attacker supplies payloads like filename=../../../../home/user/.ssh/authorized_keys or atPath=../../etc/ to the vulnerable upload endpoints. The server subsequently writes the uploaded file content to the targeted system path.

The integrated FTP server provides an alternate exploitation route. Attackers use standard FTP clients to issue retrieval or storage commands with traversal payloads. This effectively bypasses the intended directory sandbox restrictions without requiring complex HTTP requests.

The maintainers addressed these vulnerabilities in commit 8d626bbb14f82160a08cbca53e0749f475f5742c. The patch implements a standardized input sanitization routine across all components interacting with the filesystem. This approach resolves the systemic reliance on unsafe join operations.

The remediation utilizes filepath.Clean() to normalize the input path and resolve internal traversal sequences safely. Following normalization, a recursive loop strips any leading traversal characters and path separators. This guarantees the resulting path remains relative to the intended directory structure.

// Sanitization logic introduced in the patch
entryName := filepath.Clean(file.Name)
for strings.HasPrefix(entryName, "..") {
    entryName = strings.TrimPrefix(strings.TrimPrefix(entryName, ".."), string(filepath.Separator))
}

For modules handling CSV/XLS conversions and schema handling, the patch enforces strict anchoring. The developers utilized filepath.Base() to discard all directory components entirely. This ensures the application only processes the final filename segment, strictly eliminating the possibility of directory traversal.

The successful execution of this vulnerability grants an attacker arbitrary file write privileges on the host filesystem. Attackers utilize this primitive to overwrite critical system files or inject malicious application code. This typically provides a direct escalation path to complete system compromise.

An attacker can overwrite SSH authorized keys in user home directories, granting persistent secure shell access to the host. Alternatively, the attacker can overwrite existing executable binaries or Daptin configuration files. This allows the attacker to alter application behavior or execute arbitrary commands under the application's user context.

If the Daptin instance runs with elevated privileges, the impact scales proportionally. Root execution allows the attacker to modify core operating system configurations, establishing a permanent and privileged foothold. The unauthenticated nature of the attack makes it highly critical for exposed internet-facing deployments.

Organizations operating Daptin must upgrade to a version incorporating commit 8d626bbb14f82160a08cbca53e0749f475f5742c. The repository currently tracks this fix explicitly via commit history. Administrators should ensure they pull the latest main branch or build from an explicitly patched release.

If immediate upgrading is impossible, network administrators should deploy Web Application Firewall (WAF) rules to detect and block directory traversal sequences in HTTP request parameters. Specifically, rules should monitor filename and atPath parameters, as well as uploaded archive contents, for ../ patterns.

Organizations should also enforce the principle of least privilege on the Daptin service account. Ensure the process runs with an unprivileged user restricted to necessary application directories. This containment limits the scope of any successful file write operation, preventing system-wide compromise.