Dagu Path Traversal Vulnerability in DAG Creation API Endpoint Allows Arbitrary File Write

A path traversal vulnerability has been identified in the Dagu workflow engine, specifically in versions through 1.16.7. The issue arises in the 'CreateNewDAG' API endpoint, where user-supplied DAG names are not properly validated before being sent to the file store. This oversight allows authenticated users with DAG write permissions to create YAML files in arbitrary locations on the filesystem, depending on the process's permissions. Exploiting this vulnerability is particularly concerning because Dagu executes these YAML files as shell commands. As a result, an attacker could potentially execute malicious commands remotely by overwriting DAG files or configuration files on another instance.

Impact

Exploitation of this vulnerability could lead to remote code execution on the server where Dagu is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/dags' endpoint with a DAG name that includes path traversal sequences, such as '../../tmp/pwned'. Include a YAML specification that, when executed, would demonstrate the impact, such as a command that writes to a file or executes a shell command.

Remediation

Users can update to Dagu version 1.16.8 or later, where this vulnerability has been fixed.