trace_709b56446ab44cef83c50b3eddf64d1b

This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start from http/resource.go and analyze how /api/resources handles file content. Compare its permission checks against the neighboring content-serving handlers in http/raw.go, http/preview.go, and http/subtitle.go, and report any grounded missing Perm.Download enforcement on both the normal response path and the X-Encoding path.

{
  "executiveSummary": "The Filebrowser codebase contains an authorization bypass vulnerability in its API via `http/resource.go`. The `/api/resources` endpoint handler (`resourceGetHandler`) retrieves file content for text files to serve as part of an API response without enforcing the `d.user.Perm.Download` permission check. By calling `files.NewFileInfo()` with `Content: true` and by processing specific HTTP headers (`X-Encoding: true`), the endpoint leaks the entire content of targeted files (up to 10MB in size) to authenticated users lacking download privileges. This behavior deviates from the codebase's secure reference models seen in `http/raw.go`, `http/preview.go`, and `http/subtitle.go` which consistently enforce the download scope prior to content retrieval.",
  "reports": [
    {
      "title": "Unauthorized Disclosure of Text File Contents via `/api/resources`",
      "severity": "HIGH",
      "summary": "The `resourceGetHandler` function in `http/resource.go` fails to verify the `d.user.Perm.Download` permission before loading and exposing file contents. Consequently, restricted users can read the entire content of text files (up to 10MB) either via the `Content` property of the normal JSON response, or as raw bytes by supplying the `X-Encoding: true` HTTP header.",
      "rootCauseAnalysis": "In `http/resource.go`, `resourceGetHandler` unconditionally invokes `files.NewFileInfo(...)` with `Content: true`. When the targeted file is categorized as text (or non-binary) and is <= 10MB, the `detectType` function in `files/file.go` automatically reads its bytes and attaches them to `FileInfo.Content`. Furthermore, the handler includes a secondary path that streams raw text file content unconditionally if the `X-Encoding` header is `\"true\"`. Both of these read-paths miss the critical `if !d.user.Perm.Download` authorization check that is rigorously applied in parallel handlers like `raw.go`, `preview.go`, and `subtitle.go`.",
      "impact": "An authenticated user with restricted privileges (i.e., lacking download rights) can exfiltrate sensitive information, configuration data, and arbitrary text files up to 10 MB long from any path within their authorized scope.",
      "attackPath": "1. The attacker logs into the Filebrowser application with an account that has no `Download` permission.\n2. The attacker performs a standard GET request to `/api/resources/path/to/target.txt`.\n3. The application does not check for download permissions, loads the file's content into the JSON response's `content` field, and returns it.\n4. Alternatively, if the attacker specifies `X-Encoding: true` in the HTTP headers and has `Modify` permissions, the handler provides the contents in raw bytes as an `application/octet-stream`.",
      "stepsToReproduce": [
        "1. Create a user account in the system and ensure the `Download` permission is explicitly disabled.",
        "2. Authenticate and retrieve the session token for this restricted user.",