I am not a responsibility for this issue as I am not a developer involved in mistral including mistral-dashboard and mistraclient, but I have a concern on the approach of the fix when looking at the proposed review.
The problem is that the code can expose the contents of files on a web server. It is not specific to files under /etc, /proc and so on.
When I commented in #6, I did not know the utility in mistralclient which loads the contents of a local file, but afterr looking at the proposed change in the mistralclient the root cause is that mistral-dashboard allows to use the feature. It looks like the feature was designed to use in a user local env and it is not expected to run on a web server.
I am not a responsibility for this issue as I am not a developer involved in mistral including mistral-dashboard and mistraclient, but I have a concern on the approach of the fix when looking at the proposed review.
The problem is that the code can expose the contents of files on a web server. It is not specific to files under /etc, /proc and so on.
When I commented in #6, I did not know the utility in mistralclient which loads the contents of a local file, but afterr looking at the proposed change in the mistralclient the root cause is that mistral-dashboard allows to use the feature. It looks like the feature was designed to use in a user local env and it is not expected to run on a web server.