Path traversal when using `preview-docs` when working dir contains files with question mark `?` in name

Low

RomanHotsiy published GHSA-q324-q795-2q5p

Oct 9, 2021

Package

@redocly/openapi-cli (npm)

Affected versions

>=1.0.0-beta.9 <1.0.0-beta.59

Patched versions

>=1.0.0-beta.59

Description

Impact

preview-docs command allows path traversal if current working dir contains files with question mark ? in name and attacker knows the name.

Patches

It was patched starting from 1.0.0-beta.59

Workarounds

Do not run openapi-cli preview-docs command in the folder which contains files with question mark ? in name.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in @redocly/openapi-cli
Email us at [email protected]

Weaknesses

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.