Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Path Traversal Vulnerability #2112

Closed
eric-therond-sonarsource opened this issue Oct 8, 2020 · 2 comments
Closed

Path Traversal Vulnerability #2112

eric-therond-sonarsource opened this issue Oct 8, 2020 · 2 comments
Assignees
@mgesing
Labels
review security
Milestone
4.1

Comments

@eric-therond-sonarsource
Copy link

Hello
Thanks for maintaining this open-source project
I would like to report a path traversal vulnerability similar to:

In the ImportController.Create method, the model.TempFileName user-controlled input is not validated and an attacker can perform a path traversal attack to copy an arbitrary file into a new profil and delete the original file.

image

Eric
@mgesing mgesing self-assigned this Oct 8, 2020
@mgesing mgesing added this to the 4.1 milestone Oct 8, 2020
@eric-therond-sonarsource
Copy link
Author

Thank you @mgesing for the quick fixes
For information, this vulnerability and the ones reported in #2113 have been found automatically by SonarSource products.
You can try sonarcloud.io for instance, it's free for open-source projects.

Eric

@mgesing
Copy link
Contributor

mgesing commented Oct 13, 2020

Thank you, Eric.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mgesing mgesing

Labels
review security
Projects
None yet
Milestone
4.1
Development

No branches or pull requests
2 participants
@mgesing @eric-therond-sonarsource