repka-lifeforce

1. Critical Directory Traversal Vulnerability: The `backend_helper/repcast.php` script, which is actively deployed by the project's helper scripts, directly concatenates user-controlled base64-decoded input (`$urlparam`) into the directory path without sanitization. This allows an attacker to list and potentially read arbitrary files outside the intended `repcast` directory (e.g., `?dir=Lw==` would decode to `/`). 2. Static Authentication Token: The system relies on a single, static `LIFEFORCE_AUTH_TOKEN` for general API authorization. If this token is compromised, an attacker gains full access to all endpoints protected by this mechanism, with no expiry or user-specific revocation capabilities. 3. Potential Command Injection in RepCast Torrent Add: While magnet links are base64-decoded, if the `transmission` library (used for adding torrents) doesn't adequately sanitize or escape shell commands embedded within a malformed magnet link, this could lead to command injection on the server running Transmission. This is a hypothetical risk depending on the `transmission` library's internal robustness. 4. Sensitive Data in Logs: Logging webhook request bodies and query parameters directly (`/api/webhook/log`) could expose sensitive information (e.g., passwords, API keys) if clients send such data to these endpoints. 5. Misconfiguration Risk: Plugins like Home Assistant and Weather rely on API keys/URLs from environment variables. A misconfigured or malicious URL could lead to Server-Side Request Forgery (SSRF) if not properly vetted by an administrator.