May 26, 2020

GHSL-2020-073: Path traversal in Jooby - CVE-2020-7647

Alvaro Muñoz

Summary

A Path Traversal vulnerability was identified in Jooby which allows an attacker to access arbitrary classpath resources including .properties and .class files.

Product

Jooby

Tested Version

1.6.6

Fix

Patched versions: 1.6.7 and 2.8.2

Details

Arbitrary classpath resource access

When exposing a file system directory such as in:

assets("/static/**", Paths.get("static"));

Jooby uses the following code in AssetHandler.loader() to access the file:

  private static Loader loader(final Path basedir, final ClassLoader classloader) {
    if (Files.exists(basedir)) {
      return name -> {
        Path path = basedir.resolve(name).normalize();
        if (Files.exists(path) && path.startsWith(basedir)) {
          try {
            return path.toUri().toURL();
          } catch (MalformedURLException x) {
            // shh
          }
        }
        return classloader.getResource(name);
      };
    }
    return classloader::getResource;
  }

However, if the file does not exist or the normalized name is outside of Jooby's base directory, the classpath is also searched in classloader.getResource().

An attacker can access a URL such as http://server/static/WEB-INF/web.xml which will make Jooby search the <base directory>/static path for the referenced file. If this is not found, the classpath will be searched for /WEB-INF/web.xml instead and its contents will be returned. This way an attacker can access any configuration file or even the application class files.

Note that even if assets are configured for a certain extension, it is still possible to bypass this, e.g.:

assets("/static/**/*.js", Paths.get("static"));

In this case, an attacker can access io.yiss.App bytecode by sending:

http://localhost:8080/static/io/yiss/App.class.js

. This vulnerability also affects assets configured to access resources from the root of the class path, e.g.:

assets("/static/**");

In this case we can traverse /static using:

http://localhost:8080/static/..%252fio/yiss/App.class

Impact

This issue may lead to Classpath Resource Disclosure (Information Disclosure).

CVE

  • CVE-2020-7647

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 04/15/2020: Report sent to vendor
  • 05/10/2020: Issue is fixed
  • 05/11/2020: Public advisory

Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com. Please include GHSL-2020-073 in any communication regarding this issue.