Closed NHPT closed 2 months ago
We are deprecating access to the FS module from the client.
Jan resolved the issue in Jan v0.5.2, and deprecated the @janhq/core package. Could you kindly double-check if the problem still exists? https://github.com/github/advisory-database/pull/4606
Describe the bug Jan's API interface
writeFileSync
andappendFileSync
does not filter parameters, resulting in an arbitrary file upload vulnerability. Jan's API interface readFileSync does not filter parameters, resulting in an arbitrary file read/download vulnerability.Steps to reproduce
Expected behavior Read and Write Arbitrary File to server.
Screenshots
Environment details
Logs If the cause of the error is not clear, kindly provide your usage logs: https://jan.ai/docs/troubleshooting#how-to-get-error-logs
Additional context Add any other context or information that could be helpful in diagnosing the problem.