{
  "vulnerabilities": [
    {
      "ID": "INJ-VULN-01",
      "vulnerability_type": "PathTraversal",
      "externally_exploitable": true,
      "source": "path parameter in POST /dossier/{id}/upload, /repos/inou-portal/portal/upload.go:182",
      "combined_sources": "Single source: POST parameter 'path' from multipart form",
      "path": "upload.go:182 (FormValue) → upload.go:222 (stored in UploadData.RelPath) → upload.go:451 (retrieved from database) → upload.go:455 (filepath.Join concatenation) → upload.go:462 (os.WriteFile sink)",
      "sink_call": "/repos/inou-portal/portal/upload.go:462, os.WriteFile(outPath, content, 0644)",
      "slot_type": "FILE-path",
      "sanitization_observed": "filepath.Base() applied to fileName variable at /repos/inou-portal/portal/upload.go:186 (WRONG VARIABLE - relPath remains unsanitized)",
      "concat_occurrences": "Line 455: filepath.Join(tempDir, relPath) - CRITICAL: concatenation occurs with unsanitized relPath after Base() was applied to different variable",
      "verdict": "vulnerable",
      "mismatch_reason": "Sanitization applied to wrong variable. filepath.Base() sanitizes 'fileName' for display, but 'relPath' (used in file operations) is never sanitized. The unsanitized relPath is stored in database and later used in filepath.Join() without boundary validation, allowing path traversal outside tempDir.",
      "witness_payload": "../../../../tmp/path_traversal_proof.txt",
      "confidence": "high",
      "notes": "Two-step exploit: (1) Upload file with malicious path parameter, (2) Trigger processing via POST /dossier/{id}/process-imaging. Requires PermWrite on a dossier (can use own dossier). No validation that final path stays within tempDir. Can write arbitrary files to server filesystem subject to process permissions."
    }
  ]
}