Path Traversal Vulnerability in Lila Project

## Summary: A path traversal vulnerability was discovered in the Lila project that allows an attacker to access arbitrary files on the server by manipulating user-supplied input to traverse outside the intended directory structure. This flaw could potentially expose sensitive files such as application source code, configuration files, or other data not meant for public access. ## Steps To Reproduce: [add details for how we can reproduce the issue] code url lila-master/conf/routes,line 939 {F4420388} poc https://lichess.org/assets/../build.sbt {F4420380} https://lichess.org/assets/../.git/config {F4420382} ## Supporting Material/References: [list any additional material (e.g. screenshots, logs, etc.)] * [attachment / reference] ## Impact The path traversal vulnerability in the Lila project could lead to: Arbitrary file read: An attacker could access sensitive files such as: .git/config, revealing repository structure and remote URLs application.conf or similar, leaking secrets, DB credentials, or API keys Server-side source files, enabling reverse engineering or bug discovery Information disclosure: Internal logic, credentials, deployment details, or admin-only configurations may be exposed. Privilege escalation (indirectly): By reading files related to user tokens or access control, an attacker might craft further exploits. Recon for further attacks: Knowledge of internal file structure aids in targeting further vulnerabilities like RCE or IDOR.