Coordinated Disclosure Timeline
- 2022-01-07: Report sent to security at apache.org.
- 2022-01-09: Receipt acknowledged.
- 2022-01-12: Apache considers it low severity and decides not to assign a CVE number.
- 2022-01-13: Issue fixed in the main branch.
- 2022-02-18: v1.0.0 with a fix was released.
Summary
Partial path traversal allows to break out of expected folder.
Product
Apache Felix Atomos
Tested Version
Latest revision 987492ecde0493e3e048ea30974e657b11d875ad on Linux
Details
Issue: Partial path traversal in ConnectContentFile.java (GHSL-2022-007)
getFile in ConnectContentFile.java validates [1] if the file path starts with the expected root.
private Optional<File> getFile(String path)
{
File file = new File(root, path);
if (!file.exists())
{
return Optional.empty();
}
if (path.contains(POINTER_UPPER_DIRECTORY))
{
try
{
if (!file.getCanonicalPath().startsWith(root.getCanonicalPath())) //<----------- [1]
{
return Optional.empty();
}
}
catch (IOException e)
{
return Optional.empty();
}
}
return Optional.of(file);
}
If the result of root.getCanonicalPath() is not slash terminated it allows for partial path traversal.
Consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although it is not the out directory.
The terminating slash may be removed in various places. On Linux println(new File("/var/")) returns /var, but println(new File("/var", "/")) - /var/, however println(new File("/var", "/").getCanonicalPath()) - /var.
Impact
This issue allows to break out of expected folder.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-007 in any communication regarding this issue.