So, yeah, I don’t think there’s an obvious way to use directory traversal to serve arbitrary files, but since the SPA module will serve files from the directory defined using the spa.frontend.directory global property, it could be used to serve arbitrary files from the machine. Admittedly, that’s a fairly low attack surface, but adding a check to ensure the final path is underneath the OpenMRS application directory is a pretty simple thing to do.
4 Likes