Vulnerability Name

File Read API Case Sensitivity Bypass Vulnerability

Overview

The /api/file/getFile endpoint uses case-sensitive string equality checks to intercept access to sensitive files. On Windows (case-insensitive file systems), attackers can bypass these protections using mixed-case paths to read protected configuration files.

Impact

• Read sensitive information from configuration files (such as access codes, API tokens, synchronization configurations, etc.)
• Remote direct exploitation possible when the publishing service runs without authentication

Trigger Conditions

• Running on a case-insensitive file system
• Caller has access to /api/file/getFile (either through CheckAuth or by injecting tokens via the publishing service)

Proof of Concept

After enabling publishing:

Request

POST /api/file/getFile 
Content-Type: application/json
{"path":"cOnf/conf.json"}

Expected Result

• Successfully returns the contents of the configuration file

Root Cause

The path comparison uses strict case-sensitive string matching without case normalization or file-level comparison.

Fix Recommendations

• Normalize paths to lowercase/canonical form before comparison (Windows/macOS)
• Use file-level comparison methods such as os.SameFile
• Apply case-normalized blacklist checks for all sensitive paths

Notes

• Environment-specific identifiers and sensitive information have been removed

Resolution

Commit: 399a38893e8719968ea2512e177bb53e09973fa6

Summary

This is a path traversal/bypass vulnerability where case sensitivity differences between file systems can be exploited to access protected configuration files through the file read API.

Vulnerability Report Translation

This advisory was translated from Chinese (Simplified Chinese) by GitHub Copilot.