fix: API backups endpoint leaks absolute_path in JSON response #187
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
api/src/Controller/BackupsController.phpreturnsabsolute_pathin the JSON API response. This exposes the full server filesystem path to API consumers.Location
source/packages/com_mokosuitebackup/api/src/Controller/BackupsController.phpFix
Strip
absolute_pathfrom the API response object before returning. Keep it server-side only.Branch created:
feature/187-fix-api-backups-endpoint-leaks-absolute-🔍 Deep-dive triage (code @ 02.56.05) — VALID, but misattributed.
api/src/Controller/BackupsController.phpdoes not emitabsolute_path:profiles()strips sensitive fields (lines 125–140),download()streams binary. The real leak is the JSON:API serializer:api/src/View/Backups/JsonapiView.php:27—absolute_pathis in$fieldsToRenderItem, soGET /v1/mokosuitebackup/backups/:idrenders the full server filesystem path.$fieldsToRenderList(40–52) correctly omits it, so the list view is clean — only the item view leaks.Severity: Low–Medium (authenticated info-disclosure; server path aids further attacks).
Fix: remove
'absolute_path'from$fieldsToRenderIteminJsonapiView.php(it's only needed server-side). Recommend retargeting this issue to that file.Still unfixed @ 02.56.05 — keep open, and the file target should be corrected.
The leak is not in
BackupsController.php(itsprofiles()strips sensitive fields at 125-140;download()streams binary). The actual exposure isapi/src/View/Backups/JsonapiView.php:27—absolute_pathis included in$fieldsToRenderItem, soGET /v1/mokosuitebackup/backups/:idreturns the server filesystem path.$fieldsToRenderList(40-52) correctly omits it, so only the single-item view leaks. Fix: remove'absolute_path'from$fieldsToRenderIteminJsonapiView.php:27.