"details": "# File Read Interface Case Bypass Vulnerability\n## Vulnerability Name\nFile Read Interface Case Bypass Vulnerability\n\n## Overview\nThe `/api/file/getFile` endpoint uses **case-sensitive string equality checks** to block access to sensitive files.\nOn case-insensitive file systems such as **Windows**, attackers can bypass restrictions using mixed-case paths\nand read protected configuration files.\n\n## Impact\n- Read sensitive information in configuration files (e.g., access codes, API Tokens, sync configurations, etc.).\n- Remotely exploitable directly when the service is published without authentication.\n\n## Trigger Conditions\n- Running on a **case-insensitive file system**.\n- The caller can access `/api/file/getFile` (via CheckAuth or Token injection in published services).\n\n## PoC (Generic Example)\nAfter enabling publication:\n\n**Request:**\n```http\nPOST /api/file/getFile\nContent-Type: application/json\n\n{\"path\":\"cOnf/conf.json\"}\n```\n\n**Expected Result:**\n- Successfully return the content of the configuration file.\n\n## Root Cause\nPath comparison uses strict case-sensitive string matching, without case normalization or identical file validation.\n\n## Fix Recommendations\n- Normalize path casing before comparison (Windows/macOS).\n- Use file-level comparison methods such as `os.SameFile`.\n- Apply blacklist validation on sensitive paths **after case normalization**.\n\n## Notes\n- Environment identifiers and sensitive information have been removed.\n\n## Solution Commit\n`399a38893e8719968ea2511e177bb53e09973fa6`",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments