Path Traversal in Dinky #5 Affected Environment Project: Dinky Repository: https://github.com/DataLinkDC/dinky Affected Version: <=1.2.5 Executive Summary A path traversal vulnerability exists in the Dinky platform’s Git project management functionality, allowing attackers with Git project creation permissions to craft malicious project names and write Git repository files to arbitrary locations. Vulnerability Details Vulnerable File: dinky-admin/src/main/java/org/dinky/utils/GitRepository.java Vulnerable Function: getProjectDir(String projectName) (lines 134-145) Primary Entry Point: GitController.saveOrUpdateGitProject() at line 86 Secondary Trigger: GitController.buildGitProject() at line 154 Attack Vector: Network (authenticated) Impact Analysis Confidentiality: Low Integrity: High Availability: Low CVSS v3.1: 7.5 (HIGH) Classification & Remediation: CWE-22 (Path Traversal) Proof of Concept (PoC) 1. Reproduction Steps: Submit malicious names as Git project 2. Expected vs Actual Behavior: Path traversal sequences are processed without validation. Remediation 1. Input Validation: Add strict validation to the GitProjectDTO 2. Path Validation: Use Path.normalize() and validate the resolved path. 3. File Permissions: Ensure the Dinky application runs with minimal file system privileges.