OneUptime Unauthenticated Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in OneUptime versions prior to 10.0.21. The issue exists in the '/workflow/docs/:componentName' endpoint, where the 'componentName' parameter is directly concatenated into a file path and sent to 'res.sendFile()' without proper sanitization or authentication. This vulnerability allows unauthenticated users to read arbitrary files from the server's filesystem, including sensitive environment variables and database credentials.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary file reading from the server. More critically, leaking the 'ENCRYPTION_SECRET' (used as the JWT signing key) enables an attacker to forge admin authentication tokens, gaining full control of the platform. Additionally, other leaked files may contain environment secrets, database credentials, TLS private keys, or application source code.

Reproduction

To reproduce this vulnerability, send a GET request to the '/workflow/docs/:componentName' endpoint, replacing ':componentName' with a payload that includes directory traversal sequences (such as '..') to access arbitrary files. For example, requesting '/workflow/docs/..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd' will return the contents of the '/etc/passwd' file. More critically, requesting '/workflow/docs/..%2F..%2F..%2F..%2F.env' will leak sensitive environment variables such as 'ENCRYPTION_SECRET' and 'DATABASE_PASSWORD'.

Remediation

Users are advised to update to OneUptime version 10.0.21 or later. Additionally, implement validation for the 'componentName' parameter against an allowlist of known documentation files, or sanitize the path to ensure it remains within the intended directory before sending the file. Adding authentication middleware to the endpoint can also help mitigate the vulnerability.