Language Sloth Directory Traversal

Language Sloth Directory Traversal describes a vulnerability where a programming Language Sloth Directory Traversal describes a vulnerability where a programming language or its libraries are "lazy" in validating or canonicalizing user-supplied file paths.

This "sloth" manifests as a failure to rigorously sanitize or canonicalize path components. Attackers exploit this by injecting malicious sequences like `../` (parent directory traversal) or encoding variations (`%2e%2e%2f`).

If an application uses this unsanitized input to construct a file system path, the 'sloth' allows the path to resolve outside the intended base directory. For example, requesting `images/../../etc/passwd` could lead to the application inadvertently serving system files.

The defense involves robust input validation, path canonicalization (resolving all `.` and `..` components), and ensuring the final path remains within an allowed base directory. This prevents attackers from reading, writing, or executing arbitrary files on the server.

# CVE-2025-65321
The Language Sloth Discord bot is vulnerable to Directory Traversal in the gif() and png() functions. The functions build file paths using unsanitized user input for the 'name' parameter, allowing attackers to reference files outside the intended resource directories.

The functions "gif" and "png" under the file files.py are vulnerable to directory traversal as they use "open" to locally retrieve files from the server hosting the bot. The payloads below allow any user on discord to retrieve ".gif" and ".png" files hosted anywhere on the server that is hosting the bot.

```python
async def gif(self, ctx, name: str = None):
'''
(ADM) Sends a gif from the bot's gif folder.
:param name: The name of the gif file.
'''
await ctx.message.delete()
try:
with open(f'./gif/{name}.gif', 'rb') as pic:
await ctx.send(file=discord.File(pic))
except FileNotFoundError:
return await ctx.send("**File not found!**")
```

```python
async def png(self, ctx, name: str = None):
'''
(ADM) Sends a png from the bot's png folder.
:param name: The name of the png file.
'''
await ctx.message.delete()
try:
await ctx.send(file=discord.File(f'./png/{name}.png'))
except FileNotFoundError:
return await ctx.send("**File not found!**")
```

The name parameter is directly interpolated into the file path without validation or sanitization:

```
f'./gif/{name}.gif'
f'./png/{name}.png'
```

Example payloads:

```
z!gif ..\..\..\..\Windows\filename
```

```
z!png ..\..\..\..\Windows\filename
```

<img width="592" height="547" alt="image" src="https://github.com/user-attachments/assets/632cbf1a-6274-4aab-b95d-5b9c5ad5bdfd" />

The image above shows extraction of an image located at C:\Windows\cat.gif