Path Traversal in demon1a/discord-recon

Valid

Reported on

May 15th 2021


✍️ Description

Scanning internal (git directories) leaks using Improper input validation in truffleHog function

urlHost = urlparse(argument).netloc
if urlHost != "github.com" and urlHost != "gitlab.com":
await ctx.send("**You're trying to scan unallowed URL, please use a github/gitlab URL.**")
return

The following filter doesn't scan for URL Schemes ( http, file, https) So by using the following URL

file://github.com/../tmp/gitDirectory

(gitDirectory) should have .git file in it so truffleHog can scan it

🕵️‍♂️ Proof of Concept

1- Setup Discord-Recon server in your Discord and then make a git Repo folder which contains leaks
2- use 'file://github.com/../gitDirectoryLocation'

💥 Impact

This vulnerability is capable of scanning internal repos for leaks however its low since you need to know the PATH of the gitDirectory