Three related vulnerabilities in the file handling layer that allow an attacker to read, write, or delete arbitrary files on the server.
Vulnerability 1 — Path Traversal via 'casename'
File: API/Routes/Case/CaseRoute.py ~L103
Affected: deleteCase(), copyCase(), saveCase(), getResultData(), backupCase()
casename comes directly from user-supplied JSON with no validation and is passed straight into filesystem operations:
case = request.json['casename']
casePath = Path(Config.DATA_STORAGE, case)
shutil.rmtree(casePath)
Sending {"casename": "../../"} to deleteCase causes shutil.rmtree to walk up the directory tree and delete everything it has permission to touch. The same pattern in copy/read routes also allows directory traversal or data leaks.
Introduce a safe_case_path() helper and enforce it on all routes that accept casename.
Vulnerability 2 — ZIP Slip via extractall()
File: API/Routes/Upload/UploadRoute.py ~L281
zf.extractall(os.path.join(Config.EXTRACT_FOLDER))
extractall() does not sanitize archive entry paths. A crafted ZIP with entries like ../../../etc/cron.d/backdoor will write files outside EXTRACT_FOLDER to arbitrary locations on the filesystem.
Introduce a method to validate each file path before extraction to ensure it stays within the designated folder.
Vulnerability 3 — Unbounded File Upload Size
File: API/app.py ~L46
app.config["MAX_CONTENT_LENGTH"] = None
No upload size limit is enforced. A multi-GB POST to any upload endpoint can exhaust disk space or memory.
Three related vulnerabilities in the file handling layer that allow an attacker to read, write, or delete arbitrary files on the server.
Vulnerability 1 — Path Traversal via 'casename'
File:
API/Routes/Case/CaseRoute.py~L103Affected:
deleteCase(),copyCase(),saveCase(),getResultData(),backupCase()casenamecomes directly from user-supplied JSON with no validation and is passed straight into filesystem operations:Sending
{"casename": "../../"}todeleteCasecausesshutil.rmtreeto walk up the directory tree and delete everything it has permission to touch. The same pattern in copy/read routes also allows directory traversal or data leaks.Introduce a safe_case_path() helper and enforce it on all routes that accept casename.
Vulnerability 2 — ZIP Slip via
extractall()File:
API/Routes/Upload/UploadRoute.py~L281extractall()does not sanitize archive entry paths. A crafted ZIP with entries like../../../etc/cron.d/backdoorwill write files outsideEXTRACT_FOLDERto arbitrary locations on the filesystem.Introduce a method to validate each file path before extraction to ensure it stays within the designated folder.
Vulnerability 3 — Unbounded File Upload Size
File:
API/app.py~L46No upload size limit is enforced. A multi-GB POST to any upload endpoint can exhaust disk space or memory.