Summary
The /uploadCase endpoint accepts a client-controlled parameter dzuuid from request.form.get("dzuuid") which is used to construct a filesystem path:
chunk_dir = Config.validate_path(Config.DATA_STORAGE, Path("_chunks", dz_uuid))
Since dzuuid is not sanitized, a malicious client can supply path traversal sequences such as:
../../../../etc
Although Config.validate_path exists, the path is constructed before validation and later passed to shutil.rmtree(chunk_dir) during cleanup.
If traversal is not properly blocked, this could lead to unintended directory deletion outside the intended storage directory.
This represents a potential path traversal vulnerability (CWE-22).
Expected behavior
Client-supplied identifiers such as dzuuid should be sanitized or validated before being used in filesystem paths.
Only safe values (e.g., UUID format or restricted characters like [a-zA-Z0-9_-]) should be allowed so that chunk directories always remain within the _chunks storage directory.
Filesystem cleanup operations such as shutil.rmtree() should only operate on predictable paths within the configured storage directory.
Reproduction steps
- Send a POST request to
/uploadCase with a crafted dzuuid parameter.
Example malicious value:
dzuuid=../../../../tmp/testdir
- The server constructs the chunk directory path:
Path("_chunks", dz_uuid)
-
This may resolve outside the intended storage directory depending on validation behavior.
-
During upload completion cleanup, the server calls:
shutil.rmtree(chunk_dir)
which could delete unintended directories if traversal is not properly blocked.
Environment
OS: Windows 11 / WSL Ubuntu
Python version: 3.x
Repository: MUIOGO
Branch: main
Endpoint affected: /uploadCase
Logs or screenshots
Relevant code section:
dz_uuid = request.form.get("dzuuid")
chunk_dir = Config.validate_path(Config.DATA_STORAGE, Path("_chunks", dz_uuid))
...
shutil.rmtree(chunk_dir)
Summary
The /uploadCase endpoint accepts a client-controlled parameter
dzuuidfromrequest.form.get("dzuuid")which is used to construct a filesystem path:chunk_dir = Config.validate_path(Config.DATA_STORAGE, Path("_chunks", dz_uuid))
Since
dzuuidis not sanitized, a malicious client can supply path traversal sequences such as:../../../../etc
Although
Config.validate_pathexists, the path is constructed before validation and later passed toshutil.rmtree(chunk_dir)during cleanup.If traversal is not properly blocked, this could lead to unintended directory deletion outside the intended storage directory.
This represents a potential path traversal vulnerability (CWE-22).
Expected behavior
Client-supplied identifiers such as
dzuuidshould be sanitized or validated before being used in filesystem paths.Only safe values (e.g., UUID format or restricted characters like
[a-zA-Z0-9_-]) should be allowed so that chunk directories always remain within the_chunksstorage directory.Filesystem cleanup operations such as
shutil.rmtree()should only operate on predictable paths within the configured storage directory.Reproduction steps
/uploadCasewith a crafteddzuuidparameter.Example malicious value:
dzuuid=../../../../tmp/testdir
Path("_chunks", dz_uuid)
This may resolve outside the intended storage directory depending on validation behavior.
During upload completion cleanup, the server calls:
shutil.rmtree(chunk_dir)
which could delete unintended directories if traversal is not properly blocked.
Environment
OS: Windows 11 / WSL Ubuntu
Python version: 3.x
Repository: MUIOGO
Branch: main
Endpoint affected: /uploadCase
Logs or screenshots
Relevant code section:
dz_uuid = request.form.get("dzuuid")
chunk_dir = Config.validate_path(Config.DATA_STORAGE, Path("_chunks", dz_uuid))
...
shutil.rmtree(chunk_dir)