TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint
The /internal/object_storage endpoint accepts a caller-supplied JSON storage_path parameter that dynamically overrides the TensorZero [object_storage] configuration. By abusing the filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may contain sensitive credentials. Similarly, by abusing the s3_compatible storage type, the caller can coerce the gateway into making outbound object storage requests to attacker-chosen internal/cloud-metadata endpoints. This vulnerability only applies when the gateway can …