Path-Traversal -> Arbitrary File Write in Assemblyline Service Client 1. Summary The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name. No validation / sanitisation is performed. A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as ../../../etc/cron.d/evil and force the client to write the downloaded bytes to an arbitrary location on disk. 2. Affected Versions | Item | Value | |—|—| | Component | assemblyline-service-client | | Repository | CybercentreCanada/assemblyline-service-client | | Affected | All releases up to master branch. | 4. Technical Details | Field | Content | |—|—| | Location | assemblyline_service_client/task_handler.py, inside download_file() | | Vulnerable Line | file_path = os.path.join(self.tasking_dir, sha256) | | Root Cause | The sha256 string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation. | | Exploit Flow | 1. Attacker (service server) returns HTTP 200 for GET /api/v1/file/../../../etc/cron.d/evil.2. Client writes the response body to /etc/cron.d/evil.3. Achieves arbitrary file write (code execution if file is executable). | 5. Impact Integrity – Overwrite any file writable by the service UID (often root). Availability – Corrupt critical files or exhaust disk space. Code Execution – Drop cron jobs,…Read More