eghuzefa engineer-your-data Path Traversal Vulnerability

A path traversal vulnerability has been identified in eghuzefa engineer-your-data versions through 0.1.3. The issue arises in the file operations functions within src/server.py, where the WORKSPACE_PATH variable is manipulated, allowing for arbitrary file access. This vulnerability can be exploited remotely, with a public exploit available.

Impact

Exploitation of this vulnerability allows for arbitrary file read and write operations, bypassing the intended workspace directory restrictions. This could lead to unauthorized access to sensitive files or disruption of local workflows by overwriting important files.

Reproduction

To reproduce this vulnerability, invoke the 'read_file' tool through the application's JSON-RPC interface, specifying a file path outside the designated WORKSPACE_PATH directory, such as '/etc/hosts'. The tool will return the contents of the file, demonstrating the path traversal flaw.

Remediation

It is recommended to enforce the WORKSPACE_PATH as a strict root for all file-related tools, ensuring that paths cannot escape the designated workspace. Additionally, running the application with a restricted user account that lacks access to sensitive files can help mitigate the risk.