Summary

The Glances widget handler (src/pages/api/widgets/glances.js) interpolates the user-controlled version query parameter directly into outbound HTTP request URLs without sanitization. This enables path traversal on the Glances backend server, with stored Basic Auth credentials forwarded to the traversed path.

Additionally, the allowedEndpoints regex in src/widgets/glances/widget.js has broken alternation precedence, but the custom Glances handler bypasses this regex entirely.

Details

Path Traversal via version parameter

src/pages/api/widgets/glances.js:

• Line 45: version comes from req.query.version (user-controlled)
• Line 48: Assigned to privateWidgetOptions.version with only nullish fallback to 3
• Line 16: Interpolated into URL: `${url}/api/${privateWidgetOptions.version}/${endpoint}`

An attacker supplying version=3/../../anything gets path traversal in the outbound HTTP request to the Glances backend.

Broken regex (secondary issue)

src/widgets/glances/widget.js line 6:

allowedEndpoints: /\d\/quicklook|diskio|cpu|fs|gpu|system|mem|network|processlist|sensors|containers/

Due to regex alternation precedence, this matches ANY string containing cpu, fs, mem, etc. Missing grouping parens: should be /\d\/(quicklook|diskio|cpu|...)$/.

Impact

• Path traversal on Glances backend with forwarded credentials
• Access to unintended Glances API endpoints or other services behind the same host
• Credential leakage if the traversed path reaches a different service