Skip to content

LFI vuln (v1) #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

LFI vuln (v1) #319

wants to merge 2 commits into from

Conversation

keyurdoshi03
Copy link
Collaborator

@keyurdoshi03 keyurdoshi03 commented Aug 9, 2025
edited
Loading

Description

  • Implemented LFI vulnerability where only double url-encoded with nested traversal works
    So, to access path like "../file.py", the parameter that needs to be passed is "%252E%252E%252E%252F%252E%252Ffile.py", which translates to "..././file.py"
    [More safeguards can be added to make LFI even more difficult]

  • Added verbose error messages to help understand what kind of path will bypass checks

  • Added download service report functionality where this vulnerability is injected

  • Limited file storage to 50 pdfs (configurable) to avoid filling the disk space

Testing

Local testing

Documentation

Make sure that you have documented corresponding changes in this repository.

Checklist:

  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • Any dependent changes have been merged
  • I have documented any changes if required in the docs.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 9, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 9, 2025
edited
Loading

Test Results

93 tests  ±0   93 ✅ ±0   2s ⏱️ ±0s
17 suites ±0    0 💤 ±0 
 7 files   ±0    0 ❌ ±0 

Results for commit b8f8658. ± Comparison against base commit 1bbcd3c.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 9, 2025
edited
Loading

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines Covered Coverage Threshold Status
1364 1090 80% 0% 🟢

New Files

No new covered files...

Modified Files

File Coverage Status
services/workshop/crapi/mechanic/urls.py 100% 🟢
services/workshop/crapi/mechanic/views.py 76% 🟢
services/workshop/crapi_site/settings.py 85% 🟢
TOTAL 87% 🟢

updated for commit: b8f8658 by action🐍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@keyurdoshi03