Escaping the Sandbox: How a Simple Python Path Flaw Led to Host RCE The culprit? A classic logic flaw in Python’s os.path.join() function. Here is a deep dive into how I turned a simple path …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

A deployment automation tool used Python's os.path.join() to sandbox script execution within a designated build directory. Because os.path.join() discards all previous path components when given an absolute path, an attacker could inject an absolute path via the web dashboard to bypass the sandbox entirely and execute arbitrary scripts on the host OS. The exploit involved dropping a payload at /tmp/, then supplying that absolute path as the deployment hook. Even running as a non-root service user, the impact includes cloud credential theft via IMDS, supply chain attacks through future builds, and secrets exfiltration. The fix requires validating the resolved path with os.path.abspath() to confirm it still resides within the intended base directory.

Escaping the Sandbox: How a Simple Python Path Flaw Led to Host RCE

🏗️ The Target: An Enterprise Deployment Engine

🐛 The Vulnerability: The os.path.join Trap

⚔️ The Exploit: Weaponizing the Logic Flaw