Ghantakiran Splunk-MCP-Integration CSV Export Path Traversal Vulnerability

A path traversal vulnerability has been identified in the Ghantakiran Splunk-MCP-Integration project, specifically in the CSV Export component, version 0b86b09d5e5adf0433acd43c975951224613a1a6. The issue arises in the 'create_csv_export' function within 'services/csv-export-service/app/api/v1/endpoints/csv_export.py'. The vulnerability allows remote attackers to manipulate the 'job_name' argument, leading to unauthorized file writes outside the intended export directory. This issue has been publicly disclosed and may be exploited.

Impact

Exploitation of this vulnerability allows authenticated users with 'csv_create' permission to write files outside the designated CSV output directory, potentially leading to unauthorized access or modification of files.

Reproduction

To reproduce this vulnerability, send an authenticated POST request to the '/api/v1/export/' endpoint with a 'job_name' that includes traversal sequences, such as '../', to escape the intended directory. The request must also include a small static data source. Once the request is processed, the exported file will be created outside the 'CSV_OUTPUT_DIR', demonstrating the path traversal exploit.

Remediation

It is recommended to sanitize the 'job_name' input by removing path separators before it is used to generate filenames. Alternatively, export filenames could be created using a server-side UUID instead of relying on user input. After constructing the file path, a final check should be performed to ensure it remains within the 'CSV_OUTPUT_DIR' before writing the file.