LFI vuln (v1) #319
Merged
LFI vuln (v1) #319
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
☂️ Python Coverage
Overall Coverage
New FilesNo new covered files... Modified Files
|
piyushroshan
requested changes
Aug 23, 2025
piyushroshan
previously approved these changes
Aug 28, 2025
piyushroshan
approved these changes
Sep 3, 2025
piyushroshan
added a commit
that referenced
this pull request
Sep 22, 2025
* Support disabling wait-for * Init handling workshop service * Dependency handling community service * Lint * Handle health * Bump k8s-wait-for to v2.0 for arm64 (#256) * Bump k8s-wait-for to v2.0 for arm64 * Update certs * Update README.md (#257) * Correct training * Timeout handling for gateway (#259) Timeout handling for gateway * Update pr-build.yml * Make vin numbers to be VIN regex complaint (#261) * Fix VIN * add permissions pull request write --------- Co-authored-by: Roshan Piyush <piyush.roshan@gmail.com> * Make storage provisions configurable. (#263) Persistent volume helm configuration * Escaped validation for unsigned JWTs (#265) * added check for unsigned jwt * Change to typescript from js and show service request history (#269) * Use typescript * Fix bugs * lint * Convert more to typescript * More typescript * User service req view * Update dockerfile * Implement service history * Update docker-compose.yml * Implement report view (#270) * Update pr-build.yml * Change phone number feature (#268) * Added functionality to send otp for phone number change request --------- Co-authored-by: Roshan Piyush <piyush.roshan@gmail.com> * Phone number change web service (#271) * web service verify OTP impl * minor identity service changes --------- Co-authored-by: Roshan Piyush <piyush.roshan@gmail.com> * Mechanic ux (#281) * E2E-UI * Mechanic UX fixes * Fix profile pages * Update web and identity images (#282) * Fix convention * Enhanced README to Pull and Modify Variables in the .env file (#288) * enhanced readme * enhanced setup.md * enhanced setup.md * Update LICENSE.md * Update README.md * Update setup.md * Fix health of gateway image (#289) * Fix health of gateway image * Update docker compose * Fix filename typos in README.md (#290) The current name of the docker compose file is `docker-compose.yml`. The readme command examples indicated that the name was `docker compose.yml`. This commit updates all README cases of this error to reflect the actual name of the file, making the command functional again. * Update values-pv.yaml * Chatbot impl (#295) * Implement chatbot UI * added llm chatbot service (#242) * added llm chatbot service * Llm chatbot (#243) * removed unused imports * Integration * Lint * Minor fixes * Fix ssl issue * Fix docker * Fix entrypoint * increase timeout * Implement helm * Fix entrypoint * Store user state for chatbot * resolved segmentation fault error in chatbot (#245) * Add release workflow * Instructions * Fix tag publish * Strip tag prefix * String tag prefix for docker tags * Fix entrypoint.sh * Session based chat * Fix UI * Lint * Fix configmap * Update requirements * Fix dockerfile * Fix UX * Seperate prompts * Change to ChatOpenAI * Change to ChatOpenAI * Return messages * Save chat history * Cleanup * Cleanup * Preserve X-Forwarded-For * Add mongo dependency for chatbot * Use old turbo model * FSession logs not clearer debug * Add ssn * Fix gateway service health * Chatbot typescript * Upgrade packages * Dummy commit * Lint * lint * Reduce max mem * Update chatbot * Update chatbot * Potential fix for code scanning alert no. 21: Flask app is run in debug mode Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Chatbot mcp impl * spotless * Fix chatbot * Spotless * Fix usage * MCP server fix (#303) * Remove errors * Remove variables not needed * Add management scripts * Make executable * Fix config * Fix config * Add init for chatbot * Add retry for apikey * Add retry for apikey * Chatbot UX fix * update tool versions * Lint fix * Upgrade golangci-lint * Npm lint fix --------- Co-authored-by: Dhruv Singhal <dhruv.singhal@traceable.ai> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: keyurdoshi03 <keyur.doshi@harness.io> * Update Chart.yaml * Update VERSION - Correct value (#305) Align VERSION file with release info. * Chatbot markdown (#308) * Bot support markdown in chat * Model selection implemented (#309) * Model selection implemented * Refactor: moved default model env variable to correct files * User context provided (#310) * Model selection implemented * Refactor: moved default model env variable to correct files * User context provided * Create challenges.md * Update challenges * Update challenges * lint * Implemented vector index and MCP tool for semantic search (#311) * Implemented vector index for chat history context and MCP tool for semantic search & summarization * Persisted storage of vectors using Chroma * JWT auth added for MCP server's api calls (#314) * JWT auth added for MCP server's api calls * Uxrevamp (#316) * Chroma fixes (#317) * Fix mcpserver * fix chatbot * Fix async calls * black * Http client fix * Fix async * Fix async * Upgrade chromadb * Fixes * Fix css of remaining components * Interaction fix * chat fix (#318) * chat fix * prettier formatting * LFI vuln (v1) (#319) * LFI vuln (v1) * Change log level for API key retrieval success * helm fixes (#320) * helm fixes * resolved comments --------- Co-authored-by: Namburi Soujanya <54130357+soujanyanmbri@users.noreply.github.com> Co-authored-by: Mathew Jose Mammoottil <60283272+mathew-jose@users.noreply.github.com> Co-authored-by: Pushkar Pawar <77621010+pushkarpawar15@users.noreply.github.com> Co-authored-by: massey-n <136398242+massey-n@users.noreply.github.com> Co-authored-by: Dhruv Singhal <dhruv.singhal@traceable.ai> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: keyurdoshi03 <keyur.doshi@harness.io> Co-authored-by: Rick M <kingthorin@users.noreply.github.com>
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Implemented LFI vulnerability where only double url-encoded with nested traversal works
So, to access path like "../file.py", the parameter that needs to be passed is "%252E%252E%252E%252F%252E%252Ffile.py", which translates to "..././file.py"
[More safeguards can be added to make LFI even more difficult]
Added verbose error messages to help understand what kind of path will bypass checks
Added download service report functionality where this vulnerability is injected
Limited file storage to 50 pdfs (configurable) to avoid filling the disk space
Testing
Local testing
Documentation
Make sure that you have documented corresponding changes in this repository.
Checklist: