GHSA-q764-g6fm-555v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q764-g6fm-555v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-q764-g6fm-555v/GHSA-q764-g6fm-555v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q764-g6fm-555v
- Aliases
- Published
- 2023-01-23T22:05:11Z
- Modified
- 2023-11-08T04:11:40.872655Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- Path traversal in spotipy
- Details
-
Summary
If a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended.
Details
The code Spotipy uses to parse URIs and URLs accepts user data too liberally which allows a malicious user to insert arbitrary characters into the path that is used for API requests. Because it is possible to include
.., an attacker can redirect for example a track lookup viaspotifyApi.track()to an arbitrary API endpoint like playlists, but this is possible for other endpoints as well.Before the security advisory feature was enabled on GitHub, I was already in contact with Stéphane Bruckert via e-mail, and he asked me to look into a potential fix.
My recommendation is to perform stricter parsing of URLs and URIs, which I implemented in the patch included at the end of the report. If you prefer, I can also invite you to a private fork of the repository.
Impact
The impact of this vulnerability depends heavily on what operations a client application performs when it handles a URI from a user and how it uses the responses it receives from the API.
- References
Affected packages
PyPI / spotipy
Package
- Name
- spotipy
- View open source insights on deps.dev
- Purl
- pkg:pypi/spotipy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.22.1