| Título | ghantakiran splunk-mcp-integration 0b86b09 Path Traversal |
|---|
| Descrição | Although the original generic report focused on download endpoints, the actionable issue in this repository is earlier in the export pipeline.
create_csv_export() accepts user-controlled job_name and forwards it to csv_generator.generate_csv(). The generator constructs:
file_name = f"{job_name.replace(' ', '_')}_{job_id}_{int(time.time())}.{file_extension}"
file_path = os.path.join(settings.CSV_OUTPUT_DIR, file_name)
Only spaces are replaced. Forward slashes, backslashes, and traversal tokens survive unchanged, so a job_name like ../../../../tmp/csv_poc causes the background worker to create and write a CSV outside the configured export directory. |
|---|
| Fonte | ⚠️ https://github.com/ghantakiran/splunk-mcp-integration/issues/49 |
|---|
| Utilizador | LargeW (UID 97302) |
|---|
| Submissão | 14/04/2026 14h38 (há 2 meses) |
|---|
| Moderação | 01/05/2026 11h32 (17 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 360542 [ghantakiran splunk-mcp-integration até 0b86b09d5e5adf0433acd43c975951224613a1a6 CSV Export csv_export.py create_csv_export job_name Travessia de Diretório] |
|---|
| Pontos | 20 |
|---|