fix: API backups endpoint leaks absolute_path in JSON response #187

Open
opened 2026-06-29 14:41:04 +00:00 by jmiller · 3 comments
Owner

Summary

api/src/Controller/BackupsController.php returns absolute_path in the JSON API response. This exposes the full server filesystem path to API consumers.

Location

source/packages/com_mokosuitebackup/api/src/Controller/BackupsController.php

Fix

Strip absolute_path from the API response object before returning. Keep it server-side only.

## Summary `api/src/Controller/BackupsController.php` returns `absolute_path` in the JSON API response. This exposes the full server filesystem path to API consumers. ## Location `source/packages/com_mokosuitebackup/api/src/Controller/BackupsController.php` ## Fix Strip `absolute_path` from the API response object before returning. Keep it server-side only.
jmiller added the component: admin label 2026-06-29 14:41:04 +00:00
Author
Owner

Branch created: feature/187-fix-api-backups-endpoint-leaks-absolute-

git fetch origin
git checkout feature/187-fix-api-backups-endpoint-leaks-absolute-
Branch created: [`feature/187-fix-api-backups-endpoint-leaks-absolute-`](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteBackup/src/branch/feature/187-fix-api-backups-endpoint-leaks-absolute-) ```bash git fetch origin git checkout feature/187-fix-api-backups-endpoint-leaks-absolute- ```
Author
Owner

🔍 Deep-dive triage (code @ 02.56.05) — VALID, but misattributed.

api/src/Controller/BackupsController.php does not emit absolute_path: profiles() strips sensitive fields (lines 125–140), download() streams binary. The real leak is the JSON:API serializer:

  • api/src/View/Backups/JsonapiView.php:27absolute_path is in $fieldsToRenderItem, so GET /v1/mokosuitebackup/backups/:id renders the full server filesystem path. $fieldsToRenderList (40–52) correctly omits it, so the list view is clean — only the item view leaks.

Severity: Low–Medium (authenticated info-disclosure; server path aids further attacks).
Fix: remove 'absolute_path' from $fieldsToRenderItem in JsonapiView.php (it's only needed server-side). Recommend retargeting this issue to that file.

🔍 **Deep-dive triage** (code @ 02.56.05) — **VALID, but misattributed.** `api/src/Controller/BackupsController.php` does **not** emit `absolute_path`: `profiles()` strips sensitive fields (lines 125–140), `download()` streams binary. The real leak is the JSON:API serializer: - **`api/src/View/Backups/JsonapiView.php:27`** — `absolute_path` is in `$fieldsToRenderItem`, so `GET /v1/mokosuitebackup/backups/:id` renders the full server filesystem path. `$fieldsToRenderList` (40–52) correctly omits it, so the **list** view is clean — only the **item** view leaks. **Severity:** Low–Medium (authenticated info-disclosure; server path aids further attacks). **Fix:** remove `'absolute_path'` from `$fieldsToRenderItem` in `JsonapiView.php` (it's only needed server-side). Recommend retargeting this issue to that file.
Author
Owner

Still unfixed @ 02.56.05 — keep open, and the file target should be corrected.

The leak is not in BackupsController.php (its profiles() strips sensitive fields at 125-140; download() streams binary). The actual exposure is api/src/View/Backups/JsonapiView.php:27absolute_path is included in $fieldsToRenderItem, so GET /v1/mokosuitebackup/backups/:id returns the server filesystem path. $fieldsToRenderList (40-52) correctly omits it, so only the single-item view leaks. Fix: remove 'absolute_path' from $fieldsToRenderItem in JsonapiView.php:27.

Still unfixed @ 02.56.05 — keep open, and the file target should be corrected. The leak is not in `BackupsController.php` (its `profiles()` strips sensitive fields at 125-140; `download()` streams binary). The actual exposure is `api/src/View/Backups/JsonapiView.php:27` — `absolute_path` is included in `$fieldsToRenderItem`, so `GET /v1/mokosuitebackup/backups/:id` returns the server filesystem path. `$fieldsToRenderList` (40-52) correctly omits it, so only the single-item view leaks. Fix: remove `'absolute_path'` from `$fieldsToRenderItem` in `JsonapiView.php:27`.
Sign in to join this conversation.