Description
The API endpoints /api/scripts/save and /api/scripts/import_github are vulnerable to a Path Traversal attack that allows malicious actors to write arbitrary files to any location on the file system.
While the application does employ a security validation mechanism (validate_safe_path(SCRIPTS_DIR, rel_path)) designed to constrain writes to the SCRIPTS_DIR, a logic flaw in how paths are reconstructed after validation permits an attacker to successfully bypass it.
The Bypass Mechanism
An attacker can craft a payload with a deeply nested category (e.g., a/b/c/d) alongside a filename containing traversal sequences (e.g., ../../../../tmp/pwn.sh).
When combined into rel_path:
a/b/c/d/../../../../tmp/pwn.sh
The validate_safe_path function correctly resolves this path. Because the traversal sequences cancel out the nested directories, the resolved path technically lands safely inside the SCRIPTS_DIR boundaries, successfully passing the validation check.
However, immediately following this validation, the application dynamically rebuilds the absolute path for file creation:
full_path = str(validate_safe_path(SCRIPTS_DIR, rel_path))
os.makedirs(os.path.dirname(full_path), exist_ok=True)
# ⚠️ VULNERABILITY: filename is appended directly, re-introducing the traversal sequences
full_path = os.path.join(os.path.dirname(full_path), filename)
Because the filename variable remains unsanitized and still holds the ../ sequences, this operation re-applies the path traversal relative to the newly validated base directory, completely circumventing the security control.
Impact
This vulnerability results in Arbitrary File Write. An attacker can traverse outside the designated scripts directory to overwrite critical system files, inject backdoors (such as authorized SSH keys), or deploy malicious scripts elsewhere on the host filesystem, potentially escalating to complete system compromise.
Affected Endpoints
POST /api/scripts/savePOST /api/scripts/import_github
Description
The API endpoints
/api/scripts/saveand/api/scripts/import_githubare vulnerable to a Path Traversal attack that allows malicious actors to write arbitrary files to any location on the file system.While the application does employ a security validation mechanism (
validate_safe_path(SCRIPTS_DIR, rel_path)) designed to constrain writes to theSCRIPTS_DIR, a logic flaw in how paths are reconstructed after validation permits an attacker to successfully bypass it.The Bypass Mechanism
An attacker can craft a payload with a deeply nested category (e.g.,
a/b/c/d) alongside a filename containing traversal sequences (e.g.,../../../../tmp/pwn.sh).When combined into
rel_path:The
validate_safe_pathfunction correctly resolves this path. Because the traversal sequences cancel out the nested directories, the resolved path technically lands safely inside theSCRIPTS_DIRboundaries, successfully passing the validation check.However, immediately following this validation, the application dynamically rebuilds the absolute path for file creation:
Because the
filenamevariable remains unsanitized and still holds the../sequences, this operation re-applies the path traversal relative to the newly validated base directory, completely circumventing the security control.Impact
This vulnerability results in Arbitrary File Write. An attacker can traverse outside the designated scripts directory to overwrite critical system files, inject backdoors (such as authorized SSH keys), or deploy malicious scripts elsewhere on the host filesystem, potentially escalating to complete system compromise.
Affected Endpoints
POST /api/scripts/savePOST /api/scripts/import_github