[SECURITY] Path Traversal + ZIP Slip allow arbitrary filesystem read/write/delete

[arnchlmcodes]

Three related vulnerabilities in the file handling layer that allow an attacker to read, write, or delete arbitrary files on the server.

Vulnerability 1 — Path Traversal via 'casename'

File: API/Routes/Case/CaseRoute.py ~L103
Affected: deleteCase(), copyCase(), saveCase(), getResultData(), backupCase()

casename comes directly from user-supplied JSON with no validation and is passed straight into filesystem operations:

case = request.json['casename']
casePath = Path(Config.DATA_STORAGE, case)
shutil.rmtree(casePath)

Sending {"casename": "../../"} to deleteCase causes shutil.rmtree to walk up the directory tree and delete everything it has permission to touch. The same pattern in copy/read routes also allows directory traversal or data leaks.

Introduce a safe_case_path() helper and enforce it on all routes that accept casename.

---

Vulnerability 2 — ZIP Slip via extractall()

File: API/Routes/Upload/UploadRoute.py ~L281

zf.extractall(os.path.join(Config.EXTRACT_FOLDER))

extractall() does not sanitize archive entry paths. A crafted ZIP with entries like ../../../etc/cron.d/backdoor will write files outside EXTRACT_FOLDER to arbitrary locations on the filesystem.

Introduce a method to validate each file path before extraction to ensure it stays within the designated folder.

---

Vulnerability 3 — Unbounded File Upload Size

File: API/app.py ~L46

app.config["MAX_CONTENT_LENGTH"] = None

No upload size limit is enforced. A multi-GB POST to any upload endpoint can exhaust disk space or memory.

---

[arnchlmcodes]

I plan to add a SafeCasePath() helper and enforce it in all routes that take casename. I’ll also validate ZIP entries and set a reasonable upload limit. I’d like feedback before submitting a PR.

[redpopcorn]

are you working on it??

[arnchlmcodes]

@redpopcorn I’ve opened a PR for this , feel free to take a look and share any feedback or suggestions