+ "details": "### Summary\nThe official example script `examples/recursively_extract_attachments.py` contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory.\n\n### Details\nFile: `examples/recursively_extract_attachments.py`\nLines: 61–64\n```python\nfor a in m['attachment']:\n out_filepath = out_path / a['filename'] # No sanitization\n print(f'\\tWriting attachment: {out_filepath}')\n with out_filepath.open('wb') as a_out:\n a_out.write(base64.b64decode(a['raw']))\n```\n\nThe value `a['filename']` is attacker-controlled via crafted email attachment headers:\n```\nContent-Disposition: attachment; filename=\"../outside/pwned.txt\"\n```\n\nNo path normalization or boundary validation is performed before writing.\n\n### PoC\n1. Create a malicious `.eml` file:\n```\nContent-Disposition: attachment; filename=\"../outside/pwned.txt\"\n```\n2. Run the example script:\n```\npython recursively_extract_attachments.py -p ./emails -o ./safe\n```\n3. Expected: `./safe/pwned.txt` \n4. Actual: `./outside/pwned.txt` ← written outside the intended directory\n\nVerified on Kali Linux with eml_parser installed via pip in a virtual environment.\n\n### Impact\nThis vulnerability is limited to the **example script only** and does not affect the core eml_parser library. However, as the script is part of the official repository and is likely to be adapted for production use, an attacker supplying a crafted email could achieve arbitrary file write within the execution context.\n\nPotential attack scenarios include:\n- Cron job injection: `filename=\"../../etc/cron.d/backdoor\"`\n- Web shell upload: `filename=\"../../var/www/html/shell.php\"`\n- SSH key injection: `filename=\"../../home/user/.ssh/authorized_keys\"`\n\n### Recommended Fix\n```python\nimport os.path\n\nfor a in m['attachment']:\n filename = os.path.basename(a['filename'])\n out_filepath = out_path / filename\n\n if not out_filepath.resolve().is_relative_to(out_path.resolve()):\n print(f'[!] Skipping suspicious filename: {a[\"filename\"]}')\n continue\n\n print(f'\\tWriting attachment: {out_filepath}')\n with out_filepath.open('wb') as a_out:\n a_out.write(base64.b64decode(a['raw']))\n```",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments