GHSA-62gx-5q78-wrvx
obsidian-local-rest-api: Authenticated path traversal via URL-encoded %2F in /vault/{path} — arbitrary host file read/write/delete
Details
### Summary The Local REST API's `/vault/{path}` endpoints (GET/PUT/PATCH/POST/DELETE) percent-decode the request path *inside the handler — after* Express has already routed and normalized it, then hand it to the Obsidian vault adapter with no confinement check. A literal `../` is resolved/rejected at the routing layer (→ 404), but `%2F` is not a separator there, so `..%2F..%2F` survives routing and is only turned into a real `/` by the handler's `decodeURIComponent`, reconstituting a `../` traversal that walks out of the vault. An **authenticated** client can read, write, or delete **arbitrary files on the host** with the Obsidian process's privileges.
### Details **Framework:** Express (`import express from "express"`; routes registered via `this.api.route("/vault/*")…`).
**The vulnerable line** — in `src/requestHandler.ts`, every vault handler (`vaultGet`, `vaultPut`, `vaultPatch`, `vaultPost`, `vaultDelete`) derives the path like this: ```ts const rawPath = decodeURIComponent( req.path.slice(req.path.indexOf("/", 1) + 1), ); ``` The path is `decodeURIComponent`'d **after** Express routing. A literal `../` is collapsed/rejected at the routing layer, but `%2F` isn't a separator there — so `..%2F..%2F` reaches the handler intact and this `decodeURIComponent` turns it into a real `../../`. **The string routing saw (`…%2F…`) is not the string the handler uses (`…/…`)**, and `%2e%2e` behaves the same way.
**No confinement on the decoded path.** The handlers pass `rawPath` straight to the vault adapter — e.g. `this.app.vault.adapter.readBinary(filePath)` / `this.app.vault.getAbstractFileByPath(filePath)` — with no `path.resolve` + vault-root prefix check, so the reconstituted `../../` escapes.
**The fix already exists in your code — for MOVE only.** `vaultMove` confines correctly: ```ts const syntheticRoot = "/vault"; const resolved = posix.resolve(syntheticRoot, normalized); if (resolved !== syntheticRoot && !resolved.startsWith(syntheticRoot + "/")) { this.returnCannedResponse(res, { errorCode: ErrorCode.PathTraversalNotAllowed }); return; } ``` GET/PUT/PATCH/POST/DELETE lack this guard. **Apply the same `posix.resolve(syntheticRoot, …)` + `startsWith` check to the decoded path in every vault handler**, and reject any segment that decodes to `..`.
### PoC Prereq: a running Obsidian with the Local REST API plugin enabled and its configured API key (`$API_KEY`). Targets below are Unix; adjust per OS (e.g. `..%2F..%2FWindows%2Fwin.ini` on Windows).
```bash # READ outside the vault (returns 200 + the target file's real bytes): curl --path-as-is -k -H "Authorization: Bearer $API_KEY" \ "https://127.0.0.1:27124/vault/..%2F..%2F..%2F..%2Fetc%2Fpasswd"
# WRITE outside the vault (creates a file on disk outside the vault root): curl --path-as-is -k -X PUT -H "Authorization: Bearer $API_KEY" --data "pwned" \ "https://127.0.0.1:27124/vault/..%2F..%2F..%2Ftmp%2Fcanary.txt" ```
`--path-as-is` stops curl from collapsing `..` client-side. A plain `../` (unencoded) request returns 404 — only the `%2F`/`%2e%2e` encoded form bypasses, confirming the decode-after-routing gap.
### Impact Authenticated arbitrary file **read / write / delete** outside the Obsidian vault, with the OS privileges of the Obsidian process — typically the user's home directory (SSH keys, browser profiles, dotfiles, credentials). Amplified in MCP/LLM-agent deployments: this API is widely used as an MCP server, so a prompt-injection in vault content (or a malicious MCP client) can make an agent emit a `%2F` path — turning "the agent can edit my notes" into "the agent can read/write any file on the host," with no user intent to grant filesystem access beyond the vault.
This vulnerability was reported by Caleb Brisbin through responsible disclosure.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for obsidian-local-rest-api (npm). Pin to a known-safe version or switch to an alternative.