Package Instance

gramps-webapi: Zip Slip Path Traversal in Media Archive Import
## Summary

A path traversal vulnerability (Zip Slip) exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem.

## Details

When importing media archives as ZIP file, `MediaImporter._check_disk_space_and_extract()` in `gramps_webapi/api/media_importer.py` called `zipfile.extractall()` without validating ZIP entry names. Python's `zipfile` module does not sanitize entry names containing `../` sequences, allowing extraction to paths outside the target directory.

Only users with **owner permission** can upload media ZIP archives, so the biggest risk is for multi-tree deployments, where tree owners are distinct from server administrators.

For multi-tree deployments, the impact depends on deployment configuration. Assuming the standard docker-based deployment is used:

- **SQLite family tree + local media**: An attacker can overwrite another tree's database file or media files, leading to cross-tree data corruption or replacement.
- **Postgres family tree + S3 media**: No persistent tree data is stored on the local filesystem,  so cross-tree impact is eliminated. The remaining risk is overwriting volume-mounted files such as the application config file.
- **Postgres family tree + S3 media + environment-variable-only config**: No persistent files of  value are present on the local filesystem. Impact is limited to writes to ephemeral container storage, which are lost on woker restart.

## Fix

ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import.

Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users
## Summary

Users with the **Guest** role could receive private sub-object data (e.g. private alternate names, private addresses, private note/citation/media handles) through list API endpoints such as `GET /api/people/`, `GET /api/places/`, `GET /api/events/`, and all other object list endpoints.

**This does not expose objects (people, places, events, …) that are themselves marked private.** Top-level private objects are correctly excluded from all responses. Only sub-object data attached to otherwise-public objects is affected.

## Affected Versions

All versions of Gramps Web API prior to the fix.

## Root Cause

The vulnerability originates from the behaviour of `PrivateProxyDb.iter_*()` in **Gramps core**. The `ProxyDbBase.__iter_object()` helper, which backs all `iter_*()` methods in `PrivateProxyDb`, correctly filters out top-level private objects but returns the remaining objects **unsanitized** — i.e. without stripping private sub-object references. In contrast, `PrivateProxyDb.get_*_from_handle()` does call the appropriate `sanitize_*()` function.

Gramps Web API's `ModifiedPrivateProxyDb` (which wraps the raw database for non-admin users) inherited this behaviour without override.

The same issue affects Gramps desktop features that consume `iter_*()` output: reports and exports generated via Gramps desktop using `PrivateProxyDb` may also include private sub-object data that should have been stripped.

## Conditions Required

**This issue only affects trees in which sub-objects have been explicitly marked private in Gramps desktop.** The Gramps Web frontend UI does not expose controls for setting the private flag on sub-objects (alternate names, addresses, notes,
citations, media references, event references, etc.). In practice, such flags are set in Gramps desktop and then synced or imported into Gramps Web.

## Impact

When the conditions above are met, a user with the Guest role querying any list endpoint receives:

- **Full content** of private embedded sub-objects on people, such as alternate  names (first name, surname, etc.) and addresses (street, city, etc.).
- **Handles referencing** private notes, citations, and media attached to places,  events, sources, and other objects. These reveal the *existence* of private
  linked objects but not their content; fetching those objects by handle is  correctly blocked by the proxy.

## Fix

`ModifiedPrivateProxyDb` now overrides all `iter_*()` object methods to check `obj.get_privacy()` directly on the already-loaded object (eliminating the redundant per-object refetch) and to call the appropriate `sanitize_*()` function before yielding each object. This is consistent with the behaviour of `get_*_from_handle()` in `PrivateProxyDb`.