Skip to content

fix: prevent path traversal in file download endpoint#64

Open
tranquac wants to merge 1 commit intoCIDARLAB:developfrom
tranquac:fix/path-traversal-file-download
Open

fix: prevent path traversal in file download endpoint#64
tranquac wants to merge 1 commit intoCIDARLAB:developfrom
tranquac:fix/path-traversal-file-download

Conversation

@tranquac
Copy link
Copy Markdown

@tranquac tranquac commented Mar 27, 2026

Summary

Prevent path traversal in the file download endpoint by validating the filename parameter.

Problem

The getResultFile endpoint constructs file paths by directly concatenating the user-supplied filename path variable:

@PathVariable("filename") String filename
// ...
String filePath = _resultPath + "/" + username + "/" + jobid + "/" + filename;
FileInputStream mFileInputStream = new FileInputStream(filePath);

An attacker can read arbitrary files using path traversal sequences:

  • GET /results/jobid/../../etc/passwd → reads /etc/passwd
  • Both the binary branch (PNG/PDF) and text branch are affected

Fix

Validate that filename doesn't contain path traversal sequences (.., /, \) before using it in file path construction:

if (filename.contains("..") || filename.contains("/") || filename.contains("\\")) {
    throw new CelloNotFoundException("invalid filename");
}

Impact

  • Type: Path Traversal / Arbitrary File Read (CWE-22)
  • Affected endpoint: GET /results/{jobid}/{filename}
  • Risk: Read any file accessible to the application process
  • OWASP: A01:2021 — Broken Access Control

@tranquac
fix: prevent path traversal in file download endpoint
3660c3f 
Signed-off-by: tranquac <tranquac@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tranquac