drs-verify Filesystem Store Exposed to Path Traversal via Malformed Hash Input

A critical path traversal vulnerability in the drs-verify filesystem store allows an attacker to write or delete arbitrary files on the host system. The flaw stems from the `hashPath` function, which constructs file paths by directly joining a base directory with user-controlled hash values. The use of Go's `filepath.Join` resolves `..` parent directory components, enabling a crafted hash like `sha256:../../../../etc/passwd` to escape the intended store directory entirely. This results in the final path resolving to a system location like `/etc/passwd.jwt`, granting the attacker arbitrary file write and delete capabilities with the permissions of the running drs-verify process.

The vulnerability is located in `drs-verify/pkg/store/filesystem.go` within the `hashPath` method. The function trims the `sha256:` prefix from the input hash but performs no validation or sanitization against directory traversal sequences. Both the `Put()` and `Delete()` methods subsequently use this constructed path, meaning an attacker can control both the target location and the content written—specifically a JWT string in the case of `Put()`. This creates a direct vector for system compromise, data destruction, or privilege escalation depending on the process's access rights.

Exploitation is straightforward and does not require complex chaining. The impact is immediate, as the flaw provides unauthenticated file system access wherever the vulnerable component is deployed. This type of vulnerability is a severe architectural failure in input handling and path safety, often leading to full server control in containerized or directly hosted environments. It places any service relying on this drs-verify store at immediate risk until patched.