Description
The /api/file/content endpoint in Flocks allows unrestricted file system access without any path validation or authentication. Any user with network access to the Flocks server can read arbitrary files on the system.
Steps to Reproduce
- Start Flocks server
- Send GET request to
http://127.0.0.1:PORT/api/file/content?path=/etc/passwd
- File content is returned without authentication
Affected Endpoints
GET /api/file/content?path=<arbitrary_path>
Impact
- Read SSH private keys:
~/.ssh/id_rsa
- Read API keys from config:
~/.flocks/config/.secret.json
- Read environment variables:
/proc/self/environ
- Read any file accessible by the Flocks process user
Suggested Fix
- Add authentication middleware to all API endpoints
- Implement path validation to restrict file access to project directories only
- Add CORS restrictions (currently allow_origins=*)
Environment
- Flocks version: latest
- Server: 127.0.0.1:8000 (backend), 127.0.0.1:5172 (frontend)
Description
The
/api/file/contentendpoint in Flocks allows unrestricted file system access without any path validation or authentication. Any user with network access to the Flocks server can read arbitrary files on the system.Steps to Reproduce
http://127.0.0.1:PORT/api/file/content?path=/etc/passwdAffected Endpoints
GET /api/file/content?path=<arbitrary_path>Impact
~/.ssh/id_rsa~/.flocks/config/.secret.json/proc/self/environSuggested Fix
Environment