| 제목 | eghuzefa engineer-your-data 0.1.3 Path Traversal |
|---|
| 설명 | The project documents `WORKSPACE_PATH` as the directory that should contain the user's data workspace. However, the actual file tools (`read_file`, `write_file`, `list_files`, and `file_info`) do not enforce that boundary. They accept arbitrary paths from the caller, convert them directly to `Path(...)`, and operate on them immediately. This lets an attacker read or write files anywhere accessible to the service account, not just under the configured workspace. |
|---|
| 원천 | ⚠️ https://github.com/eghuzefa/engineer-your-data-mcp/issues/1 |
|---|
| 사용자 | SmallW (UID 97245) |
|---|
| 제출 | 2026. 04. 10. PM 03:06 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 04. 27. PM 05:10 (17 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 359814 [eghuzefa engineer-your-data 까지 0.1.3 src/server.py read_file/write_file/list_files/file_inf WORKSPACE_PATH 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|