Lack of data validation - Path Traversal In dbgate
Description
DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE
The unzipDirectory() function in packages/api/src/shell/unzipDirectory.js (line 27) does not validate that extracted file paths stay within the output directory. A malicious ZIP with ../ entries writes files anywhere on the filesystem.
In the default Docker deployment, DbGate runs as root and the none auth provider issues JWT tokens without credentials via POST /auth/login, so this is exploitable by any network-adjacent attacker.
Affected code:
packages/api/src/shell/unzipDirectory.js, line 27:
const destPath = path.join(outputDirectory, entry.fileName); // No check that destPath stays within outputDirectory
Called from packages/api/src/controllers/archive.js, lines 291-293:
async unzip({ folder }) { const newFolder = await this.getNewArchiveFolder({ database: folder.slice(0, -4) }); await unzipDirectory(path.join(archivedir(), folder), path.join(archivedir(), newFolder));
The archive controller also has zero permission checks and zero path traversal protection on any of its endpoints.
PoC:
import requests, zipfile, io TARGET = "http://localhost:3000" # Get auth token (no credentials needed in default Docker) r = requests.post(f"{TARGET}/api/auth/login", json={"amoid": "none"}) token = r.json()["accessToken"] hdrs = {"Authorization": f"Bearer {token}"}...
Impact: Arbitrary file write as root -> RCE. Full container compromise in Docker deployments.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 7.1.9 |
Aliases
References