Insufficient input validation allowed a directory traversal vulnerability. Any admin config and file readable by the app can be retrieved by the attacker. Furthermore, user-controlled content could be written to any admin config and files readable by the application.



Tested Version

Commit 5f48476d


The AssetServlet endpoint accepts three user-controlled parameters: screenName, idStr, and file. The three parameters are used to build the path to a stored asset whose content is then returned to the user, but the path is not sanitized which allows directory traversal and arbitrary file reads.

String screenName = post.get("screen_name", ""); // <- user-controlled
String idStr = post.get("id_str", ""); // <- user-controlled
String file = post.get("file", ""); // <- user-controlled
File assetFile = DAO.getAssetFile(screenName, idStr, file);
ByteArrayOutputStream data = new ByteArrayOutputStream();
InputStream is = new BufferedInputStream(new FileInputStream(assetFile));
// `is` is written to `data`
ServletOutputStream sos = response.getOutputStream();
sos.write(data.toByteArray()); // <- write content back to user

AssetServlet also allows arbitrary file write in its doPost method.


It is likely that Remote code execution is possible by adding malicious authorized_keys entries to the SSH daemon or by adding malicious crontabs, but this has not been tested.



Github Advisories


Coordinated Disclosure Timeline

  • 2020-03-17: Asked to open a Github security advisory.
  • 2020-06-04: Invited to Github security advisory.
  • 2020-07-02: Issue is patched.
  • 2020-07-06: CVE is assigned.
  • 2021-02-02: Advisory is published.


This issue was discovered and reported by @intrigus-lgtm.


You can contact the ISL at Please include a reference to ISL-2020-002 in any communication regarding this issue.