Files-Bucket-Server Directory Traversal Vulnerability

A directory traversal vulnerability has been identified in all versions of the files-bucket-server package. This vulnerability allows an attacker to traverse the file system and access files outside of the intended directory. The issue arises when the package is used to create a file server that restricts access to a specific directory but fails to properly enforce these restrictions, enabling unauthorized access to files in the root directory.

Impact

Exploitation of this vulnerability allows for unauthorized file access and manipulation, such as deleting files outside the designated directory.

Reproduction

To reproduce this vulnerability, install the files-bucket-server package and create a directory for private files. Add a file to this directory and also create a file in the root directory. Then, define a server using the files-bucket-server package, restricting access to the private-files directory. After starting the server, verify that access to the file in the private directory is working. Finally, use the server's RESTful API to delete a file from the root directory, demonstrating the directory traversal vulnerability by bypassing the intended access restrictions.