Dagu Path Traversal Vulnerability in DAG Management API

A path traversal vulnerability has been identified in Dagu, a workflow engine with a web user interface, affecting versions 2.0.0 prior to 2.3.1. The vulnerability arises because certain API endpoints (GET, DELETE, RENAME, EXECUTE) do not validate the {fileName} URL path parameter before passing it to the locateDAG function. This oversight allows %2F-encoded forward slashes in the {fileName} segment to traverse outside the intended directory, potentially leading to unauthorized access or manipulation of files on the server.

Impact

Exploitation of this vulnerability allows an authenticated user (or any user if auth.mode=none) to read or delete any .yaml/.yml file on the server filesystem that the process can access. This includes Kubernetes secrets stored as YAML, application configuration files, and other DAG files. Additionally, the vulnerability could be exploited through the execution endpoints, which load the specified YAML file as a DAG definition and execute it as a workflow, potentially running shell commands as the user under which the Dagu process is running.

Reproduction

The vulnerability can be reproduced by sending a request to one of the affected API endpoints (such as GET /dags/{fileName}/spec) with a {fileName} parameter that includes %2F-encoded slashes to traverse outside the DAGs directory. The locateDAG function will decode the path and return the contents of the traversed file, demonstrating the path traversal vulnerability.

Remediation

Users can update to Dagu version 2.3.1 or later, where this vulnerability has been patched.