python · bbotHeads-up
bbot postman_download module path traversal vulnerability
The `postman_download` module in bbot uses the workspace `name` field from the Postman API to construct local directory paths without sanitization, allowing pat
What changed
The `postman_download` module in bbot uses the workspace `name` field from the Postman API to construct local directory paths without sanitization, allowing path traversal attacks.
Who it affects
Users of bbot who use the `postman_download` module and connect to Postman workspaces with untrusted names.
What to do today
Update bbot to a patched version that sanitizes the workspace name field before constructing file paths.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · bbot