Quiet - Arbitrary File Write (leading to code execution)

A malicious client could change the name `fileMetadata.name` attribute and when a client downloads the file it will happily use that name when deciding where to write the file i.e. if the name contains `../../` it will escape the `downloads` folder and write to any arbitrary directory.

This happened because the download file path is resolved to `${path.join(downloadDirectory, fileName)}`which allows path traversal because '/' chars in filename metadata is permitted.

File writes appeared to be completely unrestricted, and I wrote a simple PoC that escalates this to code execution (because an attacker can simply overwrite startup scripts, or shared libraries, or anything else).

(Note that even on platforms where writing outside of config is more difficult e.g. mobile, this vuln would be enough to likely cause deanonymization as config files / caches are clobber-able - and I suspect that ACE wouldn't be too difficult even in that restricted context)

This flaw was reported privately to Quiet team September 2023 and was patched within a week.

• log sec-research privacy-research