The vulnerability is a classic path traversal issue within the bulk import functionality of Mattermost. The root cause was the failure to sanitize and validate user-provided file paths for various types of attachments (posts, replies, user/bot profile images, and custom emojis) contained within the imported JSONL file.
The investigation of the patch d38c27f96fcf754c36f231d1f2e9dbd48ad40bab reveals that several functions were involved. The functions processAttachmentPaths and processAttachments in server/channels/app/import.go were directly responsible for constructing file paths using the unsafe filepath.Join function on raw input. This is where the traversal was physically constructed.
Furthermore, a set of validation functions within server/channels/app/imports/import_validators.go (e.g., ValidatePostImportData, ValidateUserImportData) were also culpable. These functions were supposed to validate the integrity of the import data but were missing the crucial checks for attachment paths. An attacker with system admin privileges could craft a malicious import file with ../ sequences in the path fields of attachment objects, causing the server to read and potentially expose arbitrary files from the filesystem during the import process.
The patch rectifies this by introducing a new, centralized validation function, ValidateAttachmentPathForImport, which ensures that any resolved path is strictly within the intended base directory. This new function is then called from all the previously vulnerable validation and processing functions, effectively closing the security hole through a defense-in-depth approach.
Miggo AI