Description
A critical path traversal vulnerability (CWE-22) has been identified in the review_paper function in backend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions.
Impact
This vulnerability allows attackers to:
- Read any PDF file accessible to the server process
- Potentially access sensitive documents outside the intended directory
- Perform reconnaissance on the server's file system structure
Vulnerable Code
The issue occurs in the review_paper function around line 744:
if pdf_path.startswith("/api/files/"):
# Safe path handling for API routes
relative_path = pdf_path[len("/api/files/"):]
generated_base = os.path.join(project_root, "generated")
absolute_pdf_path = os.path.join(generated_base, relative_path)
else:
absolute_pdf_path = pdf_path # VULNERABLE: Direct use of user inputProof of Concept
curl -X POST http://localhost:5000/api/review \
-H "Content-Type: application/json" \
-d '{"pdf_path": "/etc/passwd"}'Credit
This vulnerability was discovered and reported by Ruizhe.
Description
A critical path traversal vulnerability (CWE-22) has been identified in the
review_paperfunction inbackend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions.Impact
This vulnerability allows attackers to:
Vulnerable Code
The issue occurs in the
review_paperfunction around line 744:Proof of Concept
Credit
This vulnerability was discovered and reported by Ruizhe.