-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: Read and Write Arbitrary File to server #2872
Comments
Van-QA
changed the title
bug: [DESCRIPTION]
bug: Read and Write Arbitrary File to server
May 7, 2024
We are deprecating access to the FS module from the client. |
Jan resolved the issue in Jan v0.5.2, and deprecated the @janhq/core package. Could you kindly double-check if the problem still exists? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Jan's API interface
writeFileSync
andappendFileSync
does not filter parameters, resulting in an arbitrary file upload vulnerability.Jan's API interface readFileSync does not filter parameters, resulting in an arbitrary file read/download vulnerability.
Steps to reproduce
https://blog.hackall.cn/cvesubmit/854.html
https:/HackAllSec/CVEs/blob/main/Jan%20AFR%20vulnerability/README.md
https://blog.hackall.cn/cvesubmit/855.html
https:/HackAllSec/CVEs/blob/main/Jan%20Arbitrary%20File%20Upload%20vulnerability/README.md
Expected behavior
Read and Write Arbitrary File to server.
Screenshots
Environment details
Logs
If the cause of the error is not clear, kindly provide your usage logs: https://jan.ai/docs/troubleshooting#how-to-get-error-logs
Additional context
Add any other context or information that could be helpful in diagnosing the problem.
The text was updated successfully, but these errors were encountered: