GHSL-2021-075: Path injection in Django - CVE-2021-33203

Coordinated Disclosure Timeline

• 2021-05-13: Report sent to maintainers
• 2021-05-13: Report is acknowledged
• 2021-05-17: A patch for the issue is proposed
• 2021-06-02: Vulnerability was made public

Summary

A Path Injection issue was found in django that allows a malicious admin user to disclose the presence of files on the file-system if the module django.contrib.admindocs is enabled.

Product

django

Tested Version

3.2.2

Details

There is an unsafe Path join operation in views.py that allows an attacker to supply paths that are outside the templates directory (1).

class TemplateDetailView(BaseAdminDocsView):
    template_name = 'admin_doc/template_detail.html'

    def get_context_data(self, **kwargs):
        template = self.kwargs['template']
        templates = []
        try:
            default_engine = Engine.get_default()
        except ImproperlyConfigured:
            # Non-trivial TEMPLATES settings aren't supported (#24125).
            pass
        else:
            # This doesn't account for template loaders (#24128).
            for index, directory in enumerate(default_engine.dirs):
                # NOTE(1): `template` is controled by an attacker.
                template_file = Path(directory) / template
                if template_file.exists():
                    # NOTE(2)
                    template_contents = template_file.read_text()
                else:
                    template_contents = ''
                templates.append({
                    'file': template_file,
                    'exists': template_file.exists(),
                    'contents': template_contents,
                    'order': index,
                })
        return super().get_context_data(**{
            **kwargs,
            'name': template,
            'templates': templates,
        })

By logging in as an admin and requesting the following page, an attacker can detect the presence of arbitrary files in the filesystem, in this case the presence of /etc/passwd:

http://localhost:8000/admin/doc/templates//etc/passwd/

In (2) we see that the file is read and its contents are passed to the rendering method. We could not find a way to display the results but a more in depth look into this seems advisable.

Impact

An authenticated malicious admin can disclose the presence of arbitrary files.

Resources

• https://github.com/django/django/blob/e1e81aa1c4427411e3c68facdd761229ffea6f6f/django/contrib/admindocs/views.py#L336
• https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

CVE

• CVE-2021-33203

Credit

This issue was discovered by Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-075 in any communication regarding this issue.