(SECURITY BUG) Path Traversal Vulnerability in Download Endpoints

[linisha15]

Description

Download endpoints (/downloadFile, /downloadCSVFile, /downloadResultsFile) accept a user-supplied filename parameter and directly join it into a file path without validation. An attacker can use path traversal sequences (e.g., ../../) to download arbitrary files from the system.

Why This Matters

High severity security issue: Attackers can read sensitive files (API keys, configs, user data)
Violates OWASP Path Traversal (CWE-22) guidelines
Affects production security posture
Violates principle of least privilege (no input validation)

Location

File:API/Routes/DataFile/DataFileRoute.py
Lines: 191–210

Current Vulnerable Code

file = request.args.get('file')  # User-controlled input
dataFile = Path(Config.DATA_STORAGE, case, 'res', 'csv', file)  # Directly joined!
return send_file(dataFile.resolve(), as_attachment=True, max_age=0)

Proof of Concept

# Normal request (intended)
GET /downloadFile?case=my_case&file=results.csv

# Malicious request (path traversal)
GET /downloadFile?case=my_case&file=../../../API/app.py
# Returns: API/app.py (Secret_Key exposed!)

GET /downloadFile?case=my_case&file=../../WebAPP/DataStorage/other_case/data.json
# Returns: Another user's case data (privacy breach!)

Expected Behavior

Only files within the intended directory (res/csv/) should be accessible
Paths containing .. should be rejected
Attempts to escape the directory should return 400 Bad Request

Acceptance Criteria

• Validate that the resolved file path is within the intended directory
• Reject requests with .. or other escape sequences in the filename
• Use pathlib.Path.resolve() with a directory containment check
• Return 400 Bad Request with a clear error message for invalid paths
• Write a test case demonstrating the fix blocks path traversal

[Sameer-00001]

Hi @linisha15, I would like to work on this high-priority security issue. I have a local fix ready using pathlib to ensure the resolved path remains strictly within the intended directory, as per OWASP guidelines.

My approach involves:

Using .resolve() to normalize the path and eliminate traversal sequences like ...

Adding a check to verify that the final path starts with the base DATA_STORAGE directory.

Returning a 400 Bad Request if the path attempts to escape the intended folder.

May I be assigned to submit the PR for this?

[linisha15]

Hi! @Sameer-00001 Thanks for your interest in working on this. I already have a suggested fix for the issue,That said, you’re absolutely welcome to work on it as well if you'd like. Feel free to try implementing the fix or propose improvements.

[Sameer-00001]

Hey @linisha15 can you please check the comment again for my approach ?

[linisha15]

Thanks for the quick response and for sharing your proposed fix — your approach looks solid and aligns well with the intended mitigation (path normalization plus strict containment checks).

I’m planning to work on this fix and open the PR from my side. Really appreciate you taking the time to outline an OWASP-aligned approach.

If you’d like, I can mention you in the PR discussion once it’s open so you can share feedback.