Uploaded image for project: 'AI Platform Core Components'
  1. AI Platform Core Components
  2. AIPCC-9975

[BOT][Security] CWE-22 in common.py:4210

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Vulnerability Details

      CWE Type(s): CWE-22 (Path Traversal)
      Severity: MEDIUM
      Team: PyTorch Compile

      Location

      • File: benchmarks/dynamo/common.py
      • Lines: 4210

      Description

      Path Traversal vulnerability in output filename construction. The code uses os.path.join with user-controlled args.output without validation, allowing directory traversal via ../ sequences. Users can specify output paths like "../../etc/passwd" to write benchmark results to arbitrary filesystem locations.

      Impact

      • Write benchmark output files to arbitrary locations on the filesystem
      • Overwrite system configuration files or sensitive data
      • Bypass intended output directory restrictions
      • Potential for persistence via writing to startup directories

      Root Cause

      The code at line 4210 uses os.path.join with user-controlled args.output and args.output_directory without validation. No checks prevent path traversal sequences (..) or validation that resolved paths stay within the intended directory.

      Fix Status

      MR Link: https://gitlab.com/redhat/rhel-ai/team-pytorch/pytorch/-/merge_requests/178
      Fix Branch: security-fix-Command_Injection-cwe22_common_path_traversal
      Status: IMPLEMENTED

      Fix Implementation:
      1. Use os.path.basename(output_filename) to remove any directory components from user input
      2. Use os.path.abspath() to resolve final path
      3. Verify resolved path starts with base directory using startswith(base_dir + os.sep)
      4. Raise ValueError if path escapes the intended directory

      This prevents both relative (../) and absolute (/etc/passwd) path traversal attacks.

      Related Exploit Files

      • test_cwe22_common_path_traversal.py

      Exploit Code Sample

      # VULNERABLE CODE (line 4210):
if output_filename:
    if args.output_directory:
        output_filename = os.path.join(args.output_directory, output_filename)
    else:
        output_filename = os.path.join(
            torch._dynamo.config.base_dir, output_filename
        )

# ATTACK VECTOR:
# args.output = "../../../etc/passwd"
# Results in writing to: /etc/passwd instead of intended benchmark directory

# SAFE FIX:
output_filename = os.path.basename(output_filename)  # Remove directory components
if args.output_directory:
    base_dir = os.path.abspath(args.output_directory)
    output_filename = os.path.join(base_dir, output_filename)
    if not os.path.abspath(output_filename).startswith(base_dir + os.sep):
        raise ValueError(f"Invalid output path: {output_filename} escapes directory")

      References

      Generated by CI Security Bot on 2026-02-04

        1. test_cwe22_common_path_traversal.py
          5 kB

              Unassigned Unassigned
              rh-ee-rpunia Riya Punia
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: