Gyoridavid Short-Video-Maker Path Traversal Vulnerability in REST API

A path traversal vulnerability has been identified in Gyoridavid Short-Video-Maker versions through 1.3.4. The issue resides in the REST API component, specifically within the file 'src/server/routers/rest.ts'. The vulnerability allows remote attackers to manipulate the 'req.params.tmpFile' and 'req.params.fileName' parameters, enabling them to traverse directories and access files outside the intended directories on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized access to arbitrary server-side files, potentially disclosing sensitive information.

Reproduction

To reproduce this vulnerability, send a request to the '/api/tmp/:tmpFile' or '/api/music/:fileName' endpoint with a crafted file name that includes traversal sequences. The request should bypass the default path restrictions and access files outside the designated directories.

Remediation

It is recommended to update the REST API to validate and sanitize route parameters, ensuring they do not contain traversal sequences or absolute paths. Implementing checks to confirm that requested files remain within the intended directories before serving them can also mitigate this vulnerability.