(SECURITY BUG) Path Traversal Vulnerability in Download Endpoints #45
Description
Description
Download endpoints (/downloadFile, /downloadCSVFile, /downloadResultsFile) accept a user-supplied filename parameter and directly join it into a file path without validation. An attacker can use path traversal sequences (e.g., ../../) to download arbitrary files from the system.
Why This Matters
High severity security issue: Attackers can read sensitive files (API keys, configs, user data)
Violates OWASP Path Traversal (CWE-22) guidelines
Affects production security posture
Violates principle of least privilege (no input validation)
Location
File:API/Routes/DataFile/DataFileRoute.py
Lines: 191–210
Current Vulnerable Code
file = request.args.get('file') # User-controlled input
dataFile = Path(Config.DATA_STORAGE, case, 'res', 'csv', file) # Directly joined!
return send_file(dataFile.resolve(), as_attachment=True, max_age=0)Proof of Concept
# Normal request (intended)
GET /downloadFile?case=my_case&file=results.csv
# Malicious request (path traversal)
GET /downloadFile?case=my_case&file=../../../API/app.py
# Returns: API/app.py (Secret_Key exposed!)
GET /downloadFile?case=my_case&file=../../WebAPP/DataStorage/other_case/data.json
# Returns: Another user's case data (privacy breach!)
Expected Behavior
Only files within the intended directory (res/csv/) should be accessible
Paths containing .. should be rejected
Attempts to escape the directory should return 400 Bad Request
Acceptance Criteria
- Validate that the resolved file path is within the intended directory
- Reject requests with
..or other escape sequences in the filename - Use
pathlib.Path.resolve()with a directory containment check - Return 400 Bad Request with a clear error message for invalid paths
- Write a test case demonstrating the fix blocks path traversal