Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Read and Write Arbitrary File to server #2872

Closed
NHPT opened this issue May 6, 2024 · 2 comments
Closed

bug: Read and Write Arbitrary File to server #2872

NHPT opened this issue May 6, 2024 · 2 comments
Assignees
@louis-jan @marknguyen1302
Labels
P0: critical Mission critical type: bug Something isn't working
Milestone
v.0.5.2

Comments

@NHPT
Copy link

NHPT commented May 6, 2024

Describe the bug
Jan's API interface writeFileSync and appendFileSync does not filter parameters, resulting in an arbitrary file upload vulnerability.
Jan's API interface readFileSync does not filter parameters, resulting in an arbitrary file read/download vulnerability.

Steps to reproduce

Expected behavior
Read and Write Arbitrary File to server.

Screenshots

Environment details

  • Operating System: [Docker]
  • Jan Version: [0.4.12]
  • Processor: [Intel]
  • RAM: [e.g., 8GB, 16GB]
  • Any additional relevant hardware specifics: [e.g., Graphics card, SSD/HDD]

Logs
If the cause of the error is not clear, kindly provide your usage logs: https://jan.ai/docs/troubleshooting#how-to-get-error-logs

Additional context
Add any other context or information that could be helpful in diagnosing the problem.
@NHPT NHPT added the type: bug Something isn't working label May 6, 2024
@Van-QA Van-QA changed the title bug: [DESCRIPTION] bug: Read and Write Arbitrary File to server May 7, 2024
@louis-jan
Copy link
Contributor

We are deprecating access to the FS module from the client.

@Van-QA Van-QA added the P0: critical Mission critical label Jul 10, 2024
@Van-QA Van-QA mentioned this issue Jul 11, 2024
Merged
3 tasks
@Van-QA Van-QA added this to the v.0.5.2 milestone Jul 11, 2024
@Van-QA Van-QA mentioned this issue Jul 11, 2024
Closed
6 tasks
@Van-QA
Copy link
Contributor

Van-QA commented Jul 15, 2024

Jan resolved the issue in Jan v0.5.2, and depre‌‌cated the @janhq/core pac‌‌kage. Could you kindly double-check if the problem still exists?
github/advisory-database#4606

@Van-QA Van-QA closed this as completed Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@louis-jan louis-jan

@marknguyen1302 marknguyen1302

Labels
P0: critical Mission critical type: bug Something isn't working
Projects
Jan & Cortex
Archived in project
Milestone
v.0.5.2
Development

No branches or pull requests
4 participants
@NHPT @Van-QA @louis-jan @marknguyen1302