Security: Path traversal vulnerability in /fs/zip endpoint zipname parameter #7
Description
Description
A path traversal vulnerability exists in the /fs/zip endpoint where the zipname parameter is not sanitized before being used to construct the zip file path. This could allow an attacker to create zip files outside the container directory by supplying a malicious zipname like ../../escape.
Location
File: src/handlers/filesystem/fs.ts
Function: zip (around line 472)
Vulnerability Details
The current code directly interpolates the zipname parameter into the zip path:
const zipPath = path.join(baseDirectory, `${zipname}.zip`);Without validation, this allows path traversal attacks that bypass the container directory boundaries that PR #6 aims to enforce.
Recommended Fix
Apply the existing sanitizePath function to validate the zip path before use:
const sanitizedZip = sanitizePath(baseDirectory, `${zipname}.zip`);
const validatedZipPath = sanitizedZip.resolvedPath;
await fs.mkdir(path.dirname(validatedZipPath), { recursive: true });
const zipStream = fsN.createWriteStream(validatedZipPath);And update the resolve statement:
zipStream.on('close', () => {
resolve(validatedZipPath);
});References
- PR: Zip file created outside container directory fixed #6
- Review comment: Zip file created outside container directory fixed #6 (comment)
Action Required
@privt00 - Please address this security vulnerability as requested by @g-flame.
Reported by: @g-flame